JAAS introduction and Examples

JAAS is an important supplement to the JCE security framework. It enhances the dynamic security of the Java solution by providing Authenticated Users and determining user authorization, so that resources can be well protected and controlled (JAAS uses dynamic security policies to define permissions, rather than embedding them in code statically ).

JAAS adopts the plug-in running mode. It is designed as a plug-in (Pluggable) at the beginning. According to the application's needs, you only need to configure the JAAS configuration file, these components can be included in our applications. Using the JAAS package interface, developers and third parties can develop some components or beans for login authentication, or access authentication information through interaction with users or external systems (of course, we can design a more secure and secure cryptographic protocol ). JAAS provides a set of classes and interfaces for user authentication, which means that applications supporting JAAS require users to log on, and JAAS provides another set of classes and interfaces for user authorization. Before discussing examples, let's give a brief description of some common classes and interfaces in JAAS APIs.

Loginmodule: check the validity of the user (using callbackhandler or other class methods), and assign the access permission principal to subject;
Logincontext: to implement user identification, create an environment and import rules from the configuration file;
Callbackhandler: callback processor, responsible for interacting with users (Code owners and executors) to confirm the legitimacy of their identities;
Subject: indicates the login processing target, that is, a user to be identified. One or more pirncipal instances can be associated;
Principal: indicates an entity with access permissions. It can be seen as a credential that can perform certain operations.

 

To understand the relationship between these classes and interfaces, I give a vivid example: a military school. At the time of admission, the school (loginmodule) determines its legitimacy based on the admission notice of the student (subject, this process is executed by callbackhandler. After callbackhandler is confirmed, loginmodule issues the relevant certificates (principal) to different subject based on their identities ), with this credential, you can access the corresponding resources. (subject) You can use and access different resources of the school at the Principal level.
If a subject (principal) is at the level of a non-commissioned officer, fewer resources are accessible, and more resources are available at the general level. Of course, one (subject) can have multiple (principal ).
Through analysis, we will find that JAAS adopts the identity check + permission allocation mode. Therefore, JAAS applications are divided into two parts: (1) authentication; (2) authorization. The process is to first Authenticate and then authorize according to your identity (I am an anti-discrimination suspect ).

So how does JAAS implement authentication? How does one implement authorization? Let me break it down and show you the details.

JAAS authentication principles
(1) Setting up the JAAS configuration file. It is very skillful in configuration and has a fight with setting firewall filtering rules;
(2) load one or more loginmodules Based on the entries in the JAAS configuration file (usually one or more modules can be abnormally used );
(3) To manage user authentication related processes, an optional loginmodule constructor and a callback processor callbackhandler are provided. If the callback processor is not provided in the constructor, the system uses the default settings;
(4) initialize and instantiate logincontext (load configuration rules). If the configuration is successful, call the login method of logincontext. Logincontext first reads the JAAS configuration file and obtains information about the login module to be loaded, the initialize method will provide the information required for loginmodule to run according to the relevant content in the configuration file;
(5) the login method of logincontext will call the login method of loginmodule to determine the user identity. This method sets the relevant callback, And the callback processor callbackhandler manages the login processing callback;
(6) The login method of loginmodule will be responsible for interacting with users (either man-machine interaction or machine interaction). If the user input information is invalid, this method returns false, the interaction process ends. If the user input is valid, this method sets the subject object of the principal object and returns true; of course, loginmodule can also delegate all interaction processes with users to the callbackhandler processor for processing. If the logon succeeds, logincontext calls the loginmodule commit method to submit the result to the internal status of the loginmodule instance.

The following steps are generally involved when using JAAS for verification in an application:
1. Create a logincontext instance.
2. To obtain and process verification information, send a callbackhandler object as a parameter to logincontext.
3. Call the login () method of logincontext for verification.
4. Use the subject object returned by the login () method to implement some special functions (assuming that the logon is successful ).

The following is a simple example:

Simplelogin. Java

Package com; </P> <p> Import javax. security. auth. login. logincontext; <br/> Import javax. security. auth. login. loginexception; </P> <p> public class simplelogin {</P> <p> Public static void main (string [] ARGs) {<br/> // create the login context and initialize it through the configuration file. The configuration file must be in the same directory as the program. <br/> logincontext = NULL; <br/> try {<br/> logincontext = new logincontext ("simple", new simplecallbackhandle (); <br/>} catch (loginexception E) {<br/> system. out. println (E. getmessage (); <br/>}</P> <p> try {<br/> // if no exception is thrown, the verification is successful. <br/> logincontext. login (); <br/>}catch (loginexception e) {</P> <p >}< br/>}Simplecallbackhandle. Java

Package com; </P> <p> Import Java. io. bufferedreader; <br/> Import Java. io. ioexception; <br/> Import Java. io. inputstreamreader; <br/> Import javax. security. auth. callback. callback; <br/> Import javax. security. auth. callback. callbackhandler; <br/> Import javax. security. auth. callback. namecallback; <br/> Import javax. security. auth. callback. passwordcallback; <br/> Import javax. security. auth. callback. unsupportedcallbackexception; </P> <p> public class simplecallbackhandle implements callbackhandler {</P> <p> Public void handle (callback [] callbacks) throws ioexception, <br/> unsupportedcallbackexception {</P> <p> for (callback: callbacks) {</P> <p> If (callback instanceof namecallback) {<br/> namecallback NC = (namecallback) callback; </P> <p> system. out. print (NC. getprompt (); <br/> system. out. flush (); </P> <p> NC. setname (New bufferedreader (New inputstreamreader (<br/> system. in ))). readline (); <br/>} else if (callback instanceof passwordcallback) {<br/> passwordcallback PCB = (passwordcallback) callback; </P> <p> system. out. print (PCB. getprompt (); <br/> system. out. flush (); <br/> PCB. setpassword (New bufferedreader (New inputstreamreader (<br/> system. in ))). readline (). tochararray (); <br/>}< br/>}Simpleloginmodule. Java

Package com; </P> <p> Import Java. io. ioexception; <br/> Import Java. util. map; <br/> Import javax. security. auth. subject; <br/> Import javax. security. auth. callback. callback; <br/> Import javax. security. auth. callback. callbackhandler; <br/> Import javax. security. auth. callback. namecallback; <br/> Import javax. security. auth. callback. passwordcallback; <br/> Import javax. security. auth. callback. unsupportedcallbackexception; <br/> Import javax. security. auth. login. loginexception; <br/> Import javax. security. auth. SPI. loginmodule; </P> <p> public class simpleloginmodule implements loginmodule {<br/> private string username; <br/> private char [] password; <br/> private subject; <br/> private callbackhandler; <br/> private map sharedstate; <br/> private map options; <br/> private string debug; </P> <p> Public Boolean abort () throws loginexception {<br/> system. out. println ("abort ()"); <br/> return false; <br/>}</P> <p> Public Boolean commit () throws loginexception {<br/> system. out. println ("Commit ()"); <br/> return false; <br/>}</P> <p> Public void initialize (subject, callbackhandler, <br/> map sharedstate, map options) {</P> <p> This. subject = subject; <br/> This. callbackhandler = callbackhandler; <br/> This. sharedstate = sharedstate; <br/> This. options = options; </P> <p> DEBUG = (string) options. get ("debug"); <br/>}</P> <p> Public Boolean login () throws loginexception {</P> <p> callback [] callbacks = new callback [2]; <br/> callbacks [0] = new namecallback ("username :"); <br/> callbacks [1] = new passwordcallback ("Password:", false); </P> <p> try {<br/> callbackhandler. handle (callbacks); <br/> username = (namecallback) callbacks [0]). getname (); <br/> Password = (passwordcallback) callbacks [1]). getPassword (); </P> <p> If (debug. equals ("true") {<br/> system. out. println ("the user name you entered is:" + username); <br/> system. out. println ("the password you entered is:" + new string (password); <br/>}</P> <p> If (username. equals ("Callan") & New String (password ). equals ("callanpass") {<br/> system. out. println ("verified"); <br/> return true; <br/>}else {<br/> system. out. println ("Verification Failed"); <br/> username = NULL; <br/> Password = NULL; <br/>}< br/>} catch (ioexception E) {<br/> E. printstacktrace (); <br/>} catch (unsupportedcallbackexception e) {<br/> E. printstacktrace (); <br/>}</P> <p> return false; <br/>}</P> <p> Public Boolean logout () throws loginexception {<br/> system. out. println ("logout ()"); <br/> return false; <br/>}< br/>}JAAS. config

Simple {<br/> com. simpleloginmodule required DEBUG = true; <br/> };After the code is edited, run the following command:

Java-djava. Security. Auth. login. Config = JAAS. config com. simplelogin