Enabling Authorization Using the Java Authentication and Authorization Service (JAAS)

The Java Authentication and Authorization Service (JAAS) is a set of API that can determine the identity of a user or computer attempting to run Java code, and ensure that the entity has the right to execute the requested functions. After an identity has been determined using authentication, a Subject object, representing a grouping of information about the entity, is created. Whenever the Subject attempts a restricted operation or access, the Java runtime uses the JAAS AccessController class to determine which, if any, Principal (representing one piece of information established during authentication) would authorize the request. If the Subject in question contains the appropriate Principal, the request is allowed. If the appropriate Principal is not present, an exception is thrown.

In OpenSSO Enterprise the custom implementation of the JAAS java.security.Policy, com.sun.identity.policy.jaas.ISPolicy, relies on the policy framework to provide policy evaluation for all Policy Service policies. Policy related to resources not under OpenSSO Enterprise control (for example, system level resources) are evaluated using JAAS.

OpenSSO Enterprise policy does not control access to com.sun.security.auth.PolicyFile, the default JAAS policy store.

For more information see the JAAS Java API Reference.

To enable authorization using JAAS in OpenSSO Enterprise use the JAAS java.security.Policy API to reset policy during run time. In the sample code, the client application resets the policy to communicate with OpenSSO Enterprise using ISPolicy. OpenSSO Enterprise provides the support needed to define policy through ISPermission.

Example 2–1 Sample JAAS Authorization Code

public static void main(String[] args) {
   try {
       // Create an SSOToken

      AuthContext ac = new AuthContext("dc=iplanet,dc=com");
       ac.login();
       Callback[] callbacks = null;
       if (ac.hasMoreRequirements()) {
           callbacks = ac.getRequirements();

           if (callbacks != null) {
               try {
                   addLoginCallbackMessage(callbacks); 
					// this method sets appropriate responses 
					// in the callbacks.
                   ac.submitRequirements(callbacks);
               } catch (Exception e) { }
           }
       }
       if (ac.getStatus() == AuthContext.Status.SUCCESS) {
             Subject subject = ac.getSubject();
							// get the authenticated subject

               Policy.setPolicy(new ISPolicy());
               // change the policy to  our own Policy

               ISPermission perm = new ("iPlanetAMWebAgentService",

                   "http://www.sun.com:80", "GET");
             Subject.doAs(subject, new PrivilegedExceptionAction() {
                 /* above statement means execute  run() method of the
							 /* Class PrivilegedExceptionAction()
                     as the specified subject */
                 public Object run() throws Exception {
                     AccessController.checkPermission(perm);
                       // the above will return quietly if the Permission
								  //  has been granted
                       // else will throw access denied
                       // Exception, so if the above highlighed ISPermission
								  // had not been granted, this return null;
                 }
            });
        }
   }