JAAS architecture ppt

jaas authentication example java and jaas ldap authentication example
OliviaCutts Profile Pic
OliviaCutts,France,Teacher
Published Date:01-08-2017
Your Website URL(Optional)
Comment
JAAS Java Authentication and Authorization Services Bruce A Rich Java Security Lead IBM/Tivoli Systems Java is a trademark and Java 2 is a registered trademark of Sun Microsystems Inc.Trademarks Trademarks Java, Java 2 are trademarks or registered trademarks of Sun Microsystems Inc. Windows 2000 is a registered trademark of Microsoft O'Reilly Conference on Enterprise Java March 26-29, 2001Talk Outline Talk Outline JAAS fundamentals JAAS case study with Kerberos Backup materials Java2 security model JAAS and J2EE relationships O'Reilly Conference on Enterprise Java March 26-29, 2001JAAS fundamentals Emphasis on "fun" or "mental"? Java is a trademark and Java 2 is a registered trademark of Sun Microsystems Inc.What is JAAS? What is JAAS? Add the concept of "user identity" to the Java 2 security model Enable existing security services to plug in Compatibly extend the current model O'Reilly Conference on Enterprise Java March 26-29, 2001Key elements Key elements Authentication framework Assertion of identity Enhanced authorization Low level of binding between authentication and authorization O'Reilly Conference on Enterprise Java March 26-29, 2001Authentication framework Authentication framework Authentication framework Policy-based Generic and abstract Sufficient for today's mechanisms, extensible Pluggable, stackable Key abstractions Subject - any user of computing Collection of Principals, credentials Principal (java.security) Has a name O'Reilly Conference on Enterprise Java March 26-29, 2001Assertion of identity Assertion of identity Avoids incompatible behavior Lexically scopes identity Logically associates Subject with current Thread static Object Subject.doAs(Subject, action) O'Reilly Conference on Enterprise Java March 26-29, 2001Enhanced Authorization Enhanced Authorization Augmentation of current Permission specification Principal-based Any authentication with any Permission Example in Kerberos section O'Reilly Conference on Enterprise Java March 26-29, 2001Java 2 Security Model Java 2 Security Model Local or remote code (signed or unsigned) Security Ability to grant Policy specific permissions to a particular piece of code Domain B Domain A about accessing specific resources on the client, depending on the signer of the code Sandbox and/or the location from which the code was loaded. Domain C JVM Resources O'Reilly Conference on Enterprise Java March 26-29, 2001Java 2 Permission Model Java 2 Permission Model SecureClassLoader Class A Class A's Protection Domain Permission 1 Permission 1 Certificate 1 Permission 2 Certificate 2 Code Base POLICY URL ... ... Certificate N Permission M Code Source Permission Collection Protection Domain O'Reilly Conference on Enterprise Java March 26-29, 2001Java 2 Authorization Model Java 2 Authorization Model Perm 1,1 Cert 1,I Cert 1,2 Code Base Perm 1,2 ... URL ... Cert 1,N 1 Perm 1,M 1 Code Source Permission Collection Class 1 Perm 2,1 Cert 2,1 Cert 2,2 Code Base Perm 2,2 Permission to ... URL Class 2 ... check Cert 2,N2 Perm 2,M 2 ... Code Source Permission Collection ... Class K Perm K,1 Cert K,1 Cert K,2 Code Base Perm K,2 ... URL ... Cert K,N K Perm K,M K Code Source Permission Collection O'Reilly Conference on Enterprise Java March 26-29, 2001JAAS Authorization Model JAAS Authorization Model Class A Subject Y SecureClassLoader Class A's Protection Domain Subject Y's Protection Domain POLICY Permission 1 Permission 1 Permission 1 Certificate 1 Permission 2 Permission 2 Certificate 2 Code Base URL ... ... ... Certificate N Permission M Permission M POLICY Code Source Permission Collection Permission Collection Protection Domain O'Reilly Conference on Enterprise Java March 26-29, 2001JAAS A Case Study with Kerberos Java is a trademark and Java 2 is a registered trademark of Sun Microsystems Inc.Building blocks Building blocks LoginModule 5 methods New java.security.Principal subclass Allows granting Permissions based on this new Principal class Possibly some "credentials" related to Principal Allows proof of identity at some later time O'Reilly Conference on Enterprise Java March 26-29, 2001Kerberos Authentication Kerberos Authentication Using JAAS Using JAAS KerberosUserPrincipal Allows permissions based on this authentication technique KerberosTGTCredential Allows further service acquisition without requiring password O'Reilly Conference on Enterprise Java March 26-29, 2001KerberosUserPrincipal KerberosUserPrincipal public class KerberosUserPrincipal extends Principal private String name; // user name public KerberosUserPrincipal(String userName) name = userName public String getName() return name; . . . O'Reilly Conference on Enterprise Java March 26-29, 2001KerberosTGTCredential KerberosTGTCredential public class KerberosTGTCredential extends Object private KrbCreds creds; public KerberosTGTCredential(KrbCreds creds) this.creds = creds ; public KrbCreds getCreds() return creds; . . . O'Reilly Conference on Enterprise Java March 26-29, 2001KerberosLoginModule KerberosLoginModule public KerberosLoginModule extends LoginModule private KerberosUserPrincipal kup; private KerberosTGTCredential ktc; private Subject subj; public void initialize (Subject s...) subj=s; ... public boolean login() if (callbackHandler == null) // no way to get parameters??? else get username, pw, realm; authenticate, remember kup and tkc; public boolean commit() subj.getPrincipals.add(kup); subj.getPublicCredentials.add(ktc); O'Reilly Conference on Enterprise Java March 26-29, 2001Windows 2000 Interoperability Windows 2000 Interoperability If in a Windows 2000 domain, already have a Kerberos ticket, but how to use from Java? New wrinkle for KerberosLoginModule LSACallAuthenticationPackage KerbRetrieveEncodedTicketMessage + lots of JNI magic === KerberosTGTCredential for current Subject O'Reilly Conference on Enterprise Java March 26-29, 2001

Advise: Why You Wasting Money in Costly SEO Tools, Use World's Best Free SEO Tool Ubersuggest.