"Java Security Technology Exploration Path series: Java Extensible Security Architecture" 16: Jaas (III): JAAS programming model

Guo Jia
Email: [Email protected]
Blog: http://blog.csdn.net/allenwells
Github:https://github.com/allenwell

One JAAS Certification

During the jars authentication process, the client application initiates authentication by instantiating the LoginContext object. Then, LoginContext communicates with Loginmodule, and the actual authentication process is performed by Loginmodule. Because Logincontex uses a common interface provided by the Loginmodule, it is easier to change the authentication provider at run time without any modifications to the Logingontext. A typical logi}ule will prompt for a username/password and verify it, or interact with other authentication providers such as RSA Secureld, smart cards, and biometric features. Loginmodule uses CallbackHandler to communicate with clients to perform user interaction to obtain authentication information and to advertise logon progress and authentication events.

1.1 Implementing the Jaas Login module

The steps to implement the Jaas login module are as follows:

1. Defines a class that represents the login module and implements the interface Loginmodule.
2. The method of implementing interface Loginmodule.

1.2 Configuring the provider for the Jaas login module

The Jaas login module is configured in the properties file java_home/jre/lib/security/java.security . To configure the jars login module in the J2SE environment,

To apply the provisioned Jaas login module

You can use the jars configuration file (such as my-jaas.conf) to configure the Jaas login module for your app. The jars configuration file specifies one or more Jaas login modules for authentication. Each item in the configuration file is identified with the app name and contains a list of login modules that are configured for the app. Each login module is specified by its fully qualified class name and an authentication flag value, and the authentication flag value can control the entire authentication behavior. The authentication process is executed in turn, in the list of entries specified in the configuration file. The following are the possible values for the authentication flag value:

• Required (required): Must be certified by the relevant login module, but regardless of success or failure, authentication will continue to process subsequent login modules.
• Requisite necessary): Indicates that the entire certification is considered successful only if the relevant login module succeeds. If successful, the authentication will continue to process the subsequent login module, and if it fails, the authentication will be completed and returned to the app.
• Sufficient (sufficient): Indicates that the entire authentication is successful as long as the relevant login module is certified successfully. If the relevant authentication succeeds, it returns to the application, no longer processes subsequent login modules, and if the authentication fails, the subsequent login module is processed.
• Optional (optional): The relevant Login module certification is not required to be successful. Regardless of the success of the relevant certification, will continue to process the subsequent login module.

If the flag value sufficient is not specified, the entire authentication is considered successful only if all required and requisite login modules are successful. If you do not specify any required or requisite login modules, you must have at least one sufficient or optional login module to be successful. In addition to the above flags, you can use a name-value pair to specify module-specific options that can be passed directly to the underlying login module.

1.3 Implementing JAAS authentication on the client

The steps to implement JAAS authentication on the client are as follows:

1. The client application instantiates a LoginContext object.
2. The LoginContext object loads the login module specified in the jars configuration file.
3. The client app invokes the login () method of the LoginContext object. The method invokes the loaded login module and attempts to subject the
   For certification. If successful, the Login module associates the client credentials (such as user name/password or token) with subject.
4. Finally, LoginContext returns the authentication status to the app. If the authentication succeeds, the app will retrieve the certified subject from the LoginContext.

Two Jaas authorizations

Jars authorization enhances the Java security model by adding access control mechanisms based on users, groups, and roles. It allows setting with
User-level and operation-level permissions to enforce access control for code performers. The subject object created during the authentication process represents an authenticated entity. Subject objects typically contain a set of principal, where each principal represents the caller of an app. Permissions are granted to principal using a policy. When the logged-on user passes authentication, the app associates the principal and Subject objects based on the user's access control context.

2.1 Implementing JAAS Authorization

The implementation of the Jaas authorization step is as follows:

1. The caller must have a subject object that has passed the authentication.
2. You must have a policy file that is configured with principal and permissions.
3. The caller's subject object must be associated with the current access control object.

2.2 Single Sign-on with Jaas shared state

Jaas shared State supports sharing security credentials (such as user name/password, shared secret key, and so on) between multiple authentication modules. This allows security credentials to be shared among the login modules used by multiple applications, enabling SSDO Jaas to multiple applications to provide a shared state mechanism that enables the login module to put the authentication credentials into a shared map and then pass it to the other login modules defined in the configuration file. In a typical SS () scenario, multiple applications must use a unified authentication solution that allows users to access multiple apps with only one login. To implement SSO in jars, you must define the login modules that are used by all applications that participate in SSC in the jars configuration file. The login module can use the Sharedstate parameter specified in the configuration file, which ensures that the authentication results of any login module can be shared with other login modules. For example, when the login module is configured with sharedstate, multiple login modules are allowed to share the user name and password, ensuring that the user can authenticate through multiple login modules with only one password loss.

"Java Security Technology Exploration Path series: Java Extensible Security Architecture" 16: Jaas (III): JAAS programming model