JAAS Authorization - aaaggh
Hi
I am struggling with authorization in WLS 8.1. My WL server is backed by an RDBMS
Realm which is used for username/password authentication. I also have a remote
JVM which uses JAAS to authenticate a user as required. This works fine. For
the remote JVM I have created a custom permission and associated that with a principal
via a policy file, shown below:-
grant principal weblogic.security.principal.RealmAdapterUser "MyUser"
{
permission com.package.security.jaas.MyPermission "logon", "true";
};
grant
{
permission java.io.FilePermission "<<ALL FILES>>", "read,write";
permission java.net.SocketPermission "*", "accept,connect,listen,resolve";
permission java.util.PropertyPermission "*", "read,write";
permission java.lang.RuntimePermission "accessClassInPackage.sun.io";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.io.SerializablePermission "enableSubstitution";
permission javax.security.auth.AuthPermission "*";
};
I have a few questions:
1) How do I associate the subject from the returned login context with my permission?
2) I call Security.runAs(subject, myaction) to perform the authorized (or not)
action. However, regardless of what user I use (authorized and unauthorized that
belong to different groups) it always passes.
I don't find the WL 81 docs on authorization particularly useful so does anyone
know what am I doing wrong.
TIA
Matt
Re: JAAS Authorization - aaaggh
"Matt" <matt@jaas-hell.com> wrote in message
news:3f379042$1@newsgroups.bea.com...[color=blue]
>
> Hi
>
> I am struggling with authorization in WLS 8.1. My WL server is backed by[/color]
an RDBMS[color=blue]
> Realm which is used for username/password authentication. I also have a[/color]
remote[color=blue]
> JVM which uses JAAS to authenticate a user as required. This works fine.[/color]
For[color=blue]
> the remote JVM I have created a custom permission and associated that with[/color]
a principal[color=blue]
> via a policy file, shown below:-
>
> grant principal weblogic.security.principal.RealmAdapterUser "MyUser"
> {
> permission com.package.security.jaas.MyPermission "logon", "true";
> };
>
> grant
> {
> permission java.io.FilePermission "<<ALL FILES>>", "read,write";
> permission java.net.SocketPermission "*",[/color]
"accept,connect,listen,resolve";[color=blue]
> permission java.util.PropertyPermission "*", "read,write";
> permission java.lang.RuntimePermission "accessClassInPackage.sun.io";
> permission java.lang.RuntimePermission "createClassLoader";
> permission java.lang.RuntimePermission "getClassLoader";
> permission java.io.SerializablePermission "enableSubstitution";
> permission javax.security.auth.AuthPermission "*";
> };
>
> I have a few questions:
> 1) How do I associate the subject from the returned login context with my[/color]
permission?[color=blue]
> 2) I call Security.runAs(subject, myaction) to perform the authorized (or[/color]
not)[color=blue]
> action. However, regardless of what user I use (authorized and[/color]
unauthorized that[color=blue]
> belong to different groups) it always passes.
>
> I don't find the WL 81 docs on authorization particularly useful so does[/color]
anyone[color=blue]
> know what am I doing wrong.
>
>[/color]
WLS allows you to use JAAS authorization, but does not provide any support
other
than what is in the SDK. Therefore, the steps should be the same whether you
are in
a java program or whether running in WLS.
[url]http://java.sun.com/j2se/1.4.1/docs/guide/security/jaas/tutorials/GeneralAcn[/url]
AndAzn.html
I think you need to use a doAs instead of a WLS runAs
