jaas policy

Date: Fri, 25 May 2001 18:23:51 -0700
Reply-To: java-security@SUN.COM
Sender: java-security@SUN.COM
From: Charlie Lai <charlie@ANGELES.ENG.SUN.COM>
Subject: Re: Need some clarification on JAAS
Comments: To: Tippu Sultan <tippu@interactive1.com>
Comments: cc: java-security@sun.com
In-Reply-To: <5.0.2.1.0.20000525114325.0328c7a0@mpop.netlink.co.uk> from
"Tippu Sultan" at May 25, 2000 11:43:47 AM
Content-Type: text/plain; charset=us-ascii

> We are trying to implement in jaas in one of our projects , the
> clarifications we need are
>
> 1. Which are the web server's support jaas authentication.
> 2.Which are the web server's support jaas authorisation
> 3. Whether weblogic6.0 supports jaas authorisation

unfortunately, i'm not sure about the answers to the above questions.

> 4. Is it necessary to have java.security.policy(java policy), with only
> java.security.auth.policy(jaas policy) we can't make jaas authorisation
>
> Is there any way to obtain the policy object dynamically ( We don't want to
> keep the policy object as a file java.security.poliy or
> java.security.auth.policy) we are able to create the policy object with
> out a file by making changes in java.security file but we are not able to
> add permissions to this file dynamically .

the policy implementation does not have to reside in a file.
you can implement your own policy and have the contents reside
in a database or server if you choose. the default implementation
simply uses a file. you could set your policy by using the
Policy.setPolicy API.

as for dynamic permissions, the next release of the JDK (1.4)
will have better support for dynamic permissions. therefore if you
refresh the policy, the updates will affect not only newly loaded classes,
but previously loaded classes as well.

> Our understanding on jaas is whenever we call doAs method the object send
> will make checking java.security.auth.policy(jaas policy) first and then it
> will check with java.security.policy(java policy) and then it will give
> result . this is not happening if we add permission directly to the policy
> object

you should view the JAAS policy and the JDK policy as one single policy.
the fact that it resides in 2 files, and the process of checking
those 2 files, are implementation details.
in fact, with the next release of the JDK (1.4) the two policies
are merged and there's only one policy file.

hope that helps.
charlie

==========================================================================
To unsubscribe, send email to listserv@java.sun.com and include in the body
of the message "signoff JAVA-SECURITY". For general help, send email to
listserv@java.sun.com and include in the body of the message "help".