JAAS Authorization - aaaggh - Weblogic

This is a discussion on JAAS Authorization - aaaggh - Weblogic ; Hi I am struggling with authorization in WLS 8.1. My WL server is backed by an RDBMS Realm which is used for username/password authentication. I also have a remote JVM which uses JAAS to authenticate a user as required. This ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: JAAS Authorization - aaaggh

  1. JAAS Authorization - aaaggh


    Hi

    I am struggling with authorization in WLS 8.1. My WL server is backed by an RDBMS
    Realm which is used for username/password authentication. I also have a remote
    JVM which uses JAAS to authenticate a user as required. This works fine. For
    the remote JVM I have created a custom permission and associated that with a principal
    via a policy file, shown below:-

    grant principal weblogic.security.principal.RealmAdapterUser "MyUser"
    {
    permission com.package.security.jaas.MyPermission "logon", "true";
    };

    grant
    {
    permission java.io.FilePermission "<>", "read,write";
    permission java.net.SocketPermission "*", "accept,connect,listen,resolve";
    permission java.util.PropertyPermission "*", "read,write";
    permission java.lang.RuntimePermission "accessClassInPackage.sun.io";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.io.SerializablePermission "enableSubstitution";
    permission javax.security.auth.AuthPermission "*";
    };

    I have a few questions:
    1) How do I associate the subject from the returned login context with my permission?
    2) I call Security.runAs(subject, myaction) to perform the authorized (or not)
    action. However, regardless of what user I use (authorized and unauthorized that
    belong to different groups) it always passes.

    I don't find the WL 81 docs on authorization particularly useful so does anyone
    know what am I doing wrong.

    TIA

    Matt

  2. Re: JAAS Authorization - aaaggh


    "Matt" wrote in message
    news:3f379042$1@newsgroups.bea.com...
    >
    > Hi
    >
    > I am struggling with authorization in WLS 8.1. My WL server is backed by

    an RDBMS
    > Realm which is used for username/password authentication. I also have a

    remote
    > JVM which uses JAAS to authenticate a user as required. This works fine.

    For
    > the remote JVM I have created a custom permission and associated that with

    a principal
    > via a policy file, shown below:-
    >
    > grant principal weblogic.security.principal.RealmAdapterUser "MyUser"
    > {
    > permission com.package.security.jaas.MyPermission "logon", "true";
    > };
    >
    > grant
    > {
    > permission java.io.FilePermission "<>", "read,write";
    > permission java.net.SocketPermission "*",

    "accept,connect,listen,resolve";
    > permission java.util.PropertyPermission "*", "read,write";
    > permission java.lang.RuntimePermission "accessClassInPackage.sun.io";
    > permission java.lang.RuntimePermission "createClassLoader";
    > permission java.lang.RuntimePermission "getClassLoader";
    > permission java.io.SerializablePermission "enableSubstitution";
    > permission javax.security.auth.AuthPermission "*";
    > };
    >
    > I have a few questions:
    > 1) How do I associate the subject from the returned login context with my

    permission?
    > 2) I call Security.runAs(subject, myaction) to perform the authorized (or

    not)
    > action. However, regardless of what user I use (authorized and

    unauthorized that
    > belong to different groups) it always passes.
    >
    > I don't find the WL 81 docs on authorization particularly useful so does

    anyone
    > know what am I doing wrong.
    >
    >


    WLS allows you to use JAAS authorization, but does not provide any support
    other
    than what is in the SDK. Therefore, the steps should be the same whether you
    are in
    a java program or whether running in WLS.

    http://java.sun.com/j2se/1.4.1/docs/...als/GeneralAcn
    AndAzn.html

    I think you need to use a doAs instead of a WLS runAs



+ Reply to Thread