What is JAAS and flexible Java security mechanisms?

I saw jass on the forum today, but I don't know what it is. I found it online and benefited a lot.

 

Java Authentication Authorization Service (JAAS, Java authentication and authorization API) provides a flexible and scalable mechanism to ensure that Java programs on the client or server end. Java's early Security Framework emphasizes that by verifying the source and author of the Code, users are protected from downloading code attacks. JAAS emphasizes that it protects the system from user attacks by verifying who is running the code and his/her permissions. It allows you to use standard security mechanisms, such as Solaris NIS (Network Information Service), Windows NT, LDAP (Lightweight Directory Access Protocol), and Kerberos, it can be integrated into the system in a configurable manner.

Have you ever needed to implement a login module for an application? If you are a relatively experienced programmer, I believe you have done this job many times, and each time it is not exactly the same. You may establish your login module on the basis of the Oracle database, or use NT user authentication or the LDAP directory. If there is a way to support all the security mechanisms mentioned above without changing the application-level code, it must be a lucky thing for programmers.

Now you can use JAAS To achieve the above goal. JAAS is a relatively new Java API. In j2se 1.3, it is an extension package; In j2se 1.4, it becomes a core package. In this article, we will introduce some of the core concepts of JAAS, and then illustrate how to apply JAAS to actual programs through examples. The example in this article is adapted based on a web-based Java application. In this example, we use relational databases to save user login information. With JAAS, we have implemented a robust and flexible login and authentication module.

 

 

Client and server JAAS
Developers can apply JAAS to clients and servers. Using JAAS on the client is simple.
. It is complicated to use JAAS on the server. JAAS production in the application server market
Products are not very consistent, There are some minor differences in the use of JAAS J2EE application server. For example, jbosssx
Use your own structure to integrate JAAS into a larger security framework.
. X also uses JAAS, but the security framework is completely different.
Now you can understand why we need to look at JAAS from the client and server perspectives.
We will list the examples in the following two cases. To make the example programs on the server simpler,
We use the resin application server.
Core JAAS class
Before using JAAS, you must install JAAS first. JAAS is included in j2se 1.4,
But not in j2se 1.3. If you want to use j2se 1.3, you can click
Download JAAS. After JAAS is correctly installed, you will find JAAS. jar in the lib directory of the installation directory.
You need to add the path to classpath. (Note: If you have installed the application server
After JAAS is included, please read the help documentation of the application server for more details ). In Java
In the Security Attribute file java. Security, you can change some JAAS-related system attributes. This article

 

Files are saved in the <jre_home>/lib/security directory.
The following steps are generally involved when using JAAS for verification in an application:
1. Create a logincontext instance.
2. To obtain and process verification information, a callbackhandler object is used as a parameter.
To logincontext.
3. Call the login () method of logincontext for verification.
4. Use the subject object returned by the login () method to implement some special functions (assuming
Login successful ).
The following is a simple example:
Logincontext lc = new logincontext ("myexample ");
Try {
LC. login ();
} Catch (loginexception ){
// Authentication failed.
}
// Authentication successful, we can now continue.
// We can use the returned subject if we like.
Subject sub = Lc. getsubject ();
Subject. DOAs (sub, new myprivilegedaction ());
When running this code, the background performs the following work.
1. during initialization, The logincontext object first finds myexample In the JAAS configuration file
And then determine the loginmodule object to be loaded (see figure 2 ).
2. during login, The logincontext object calls the login () Party of each loginmodule object
Method.
3. verify each login () method or obtain a callbackhandle object.

 

4. The callbackhandle object interacts with the user by using one or more callback methods.
To obtain user input.
5. Enter verification information in a new subject object.
We will further explain the code. But before that, let's take a look at
Core JAAS class and interface. These classes can be divided into three types:
Common subject, Principal, credential
Verify logincontext, loginmodule, callbackhandler, and callback
Authorization Policy, authpermission, privatecredentialpermission
Most of the classes and interfaces listed above are in the javax. Security. Auth package. In j2se 1.4
And some interface implementation classes are in the com. Sun. Security. Auth package.
Common Type: subject, Principal, credential
The subject class represents a verification entity, which can be a user, Administrator, Web Service, or device.
Or other processes. This class contains three types of security information:
Identity: represented by one or more principal objects
Public credentials: for example, name or Public Key
Private credentials: for example, a password or private key
The principal object represents the identity of the subject object. They implement java. Security. Principal
And java. Io. serializable interfaces. In the subject class, the most important method is getname ()
. This method returns an identity name. The subject object contains multiple principal objects, because
It can have multiple names. Because the login name, ID card number, and email address can be used as the user
Identity, it can be seen that the situation with multiple identity names is very common in practical applications.
The Credential mentioned above is not a specific class or excuse. It can be any object. Credential
Can contain verification information required by any specific security system, such as tags (ticket), keys or
Password. The subject object maintains a set of specific private and public creden.
Get the getprivatecredentials () and getpubliccredentials () methods. These methods
Generally, the Security Subsystem in the application layer is called.
Verification: logincontext
In the application layer, you can use the logincontext object to verify the subject object. Logincontext
The object also reflects the dynamic pluggable ability of JAAS, because when you create
When creating a logincontext instance, you must specify a configuration. Logincontext
Text files. These configuration information tells the logincontext object
Which loginmodule object is used.
The following lists the three methods that are frequently used in logincontext:
Login. This method activates all the loginmodule pairs in the configuration.

 

Image. If successful, it creates a verified subject object; otherwise, a loginexception is thrown.
Exception.
Getsubject () returns the verified subject object
Logout () cancels the subject object and deletes the relevant principal object and credential.
Verification: loginmodule
Loginmodule is an interface that calls a specific authentication mechanism. J2EE 1.4 contains the following types of loginmodules
Implementation class:
Jndiloginmodule is used to verify the directory service configured in JNDI
Krb5loginmodule uses Kerberos protocol for verification
Ntloginmodul uses the user information of the current user in the NT for verification
Unixloginmodule uses the user information of the current user in UNIX for verification
These modules are bound together with the corresponding principal interface implementation class, such as ntdomainprincipal
And unixprincipal. These classes are in the com. Sun. Security. Auth package.
The loginmodule Interface contains five methods:
Initialize () is called by the constructor when a loginmodule instance is created.
Login () for verification
Commit () after the lgonincontext object accepts the results returned by all loginmodule objects
This method will be called. This method assigns the principal object and credential to the subject object.
　　
Abort () This method is called when verification of any loginmodule object fails. In this case

No principal object or credential is associated with the subject object.
Logout () deletes the principal object and credential associated with the subject object.
In the application code, programmers usually do not directly call the methods listed above, but do
Call these methods indirectly through ligoncontext.
Verification: callbackhandler and callback
Callbackhandler and callback objects can enable the loginmodule object
It collects necessary verification information and is independent from the actual interaction process.
　　
JAAS contains seven callback implementation classes in the javax. sevurity. Auth. Callback package.
And two callbackhandler implementation classes: choicecallback, confirmationcallback,
Logcalecallback, namecallback, passwordcallback, textinputcallback,
Textoutputcallback, dialogcallbackhandler, and textcallbackhandler. Callback
The interface will only be used on the client. I will introduce how to write your own callbackhandler later.
Class.

Reference address: http://hi.baidu.com/%D5%C5%B9%DA%C1%D6/blog/item/aba45743222f67159213c61b.html