JAAS 学习笔记

JAAS

Resource:http://hintcnuie.iteye.com/blog/245239

 

Authentication, Authorization and Access Control
The primary goal of JAAS is to manage the granting of permissions and performing security checks for those permissions.

 

1.Authentication

1.1 Concept

Principal is one of identifers of a subject.
Subject is a collection of principals.
Credential is a prove of principal, it could be any type of object.  

Authentication:The process to identify subject and attach credentials and principals to a subject.
LoginModule: provide a pluggable way to have system support JAAS.
                    used for authentication(login, and principals, credentials binding)
                    ( authentication technology providers interface)
LoginContext:describes the basic methods used to authenticate Subjects and provides a way to develop an
                    application independent of the underlying authentication technology.

                    ( Application Interface)            
Configuration:determine which LoginModules should be used,
                     and which ones must succeed in order for the overall authentication to succeed(consits of AppConfigurationEntrys).
CallbackHandler: communicate and interact with users to gather identification information
CallBack: store information gathered by CallbackHandler;

  

1.2Authentication Progress
Application employ LoginContext to get a authenticated Subject. At this time, LoginContext will ask the Configuration for the

plugined LoginModules, and call each LoginModule to attach principals and credentials to  Subject(owned by each LoginModule or LoginContext).
Before each LoginModule attach principals and credentials, there will be a chance for LoginModule to judge whether to attach or not,

it employ CallbackHandler to collect informations in the CallBacks. If the collected information is valid, it could do attach now(in LoginContext is commit).

 

2.Authorization && AccessControl

2.1 Concept

Permission defines what kind of actions on a target.
Permission = Permission Type + Target(permission effect on) + Action(Optional)  

Not a subject but principal is assigned to a permission(defined by policy).

 

Policy: defines which permission are granted to a given security context(principal).( Deploying time And RunTime) 

Authorization: binding permissions to princpals(policy)
Acess Control: access sensitive code employ AccessControler or Security Mananger to check subject have the right to access resources.

ProtectDomain: encapsulates a set of classes whose instances are granted a set of permissions when being executed on behalf of a given

                        set of Principals.

2.2 Acess Control Progress

 

3. Two Extensible Interface

  Subject -- Principals -- Permission: Jaas employs Pricipals to decouple the Subject and Principals.

 

  Configuration: support to dynamicly or staticly add/remove/edit LoginModules which attach pricipals to Subject.

                        It judges which pricipals a Subject could have.

 

   Policy: support to dynamicly or staticly add/remove permissions to a principal.

             It judges which permissions a principal could have.

4. JAAS in Tomcat

   Realm: as LoginModule, authenticate a user based on a username and password, adding “roles” to that user if authentication was successful.

             defined as Realm in server.xml  

   Role: as Principal, defined as security-role in web.xml  

   Authenticator: as access controller to take access control function. defined as login-config in web.xml.

               It look down security-constraint to check.