Section C.2. Client-Side JAAS


C.2. Client-Side JAAS

To use JAAS from an external client, we need to take the following steps:

  • Write the client code, using the MyPassiveCallbackHandler from the CallbackHandler section.

  • Configure a client-side LoginModule.

  • Set up a J2SE Security Policy file.

C.2.1. External Client Application that Uses JAAS

The following code snippet shows how an external application would use JAAS authentication, assuming that the user already entered his username and password. We first instantiate an application-specific CallbackHandler implementation, MyPassiveCallbackHandler, with the userName and password. We then create the JAAS LoginContext by using the application name along with our CallbackHandler. The "Client-JBossAtWorkAuth" application name comes from the LoginModule Configuration filesee the "Client-Side LoginModule Configuration" section for details. The LoginContext's login( ) method then authenticates the user. If login( ) tHRows a LoginException, then the logon process failed. If the logon succeeds, the application calls the code the user is allowed to access, as in Example C-3.

Example C-3. Sample external client
 import javax.security.auth.login.*; import javax.security.auth.*; import java.security.*; ... try {     MyPassiveCallbackHandler myCallbackHandler = null;     // Set Security Association CallbackHandler-specific settings     myCallbackHandler = new MyPassiveCallbackHandler(userName, password);     // Get Login Context (NOTE: Client-JBossAtWorkAuth is the application     // name in the client-auth.conf LoginModule Configuration file)     System.out.println("Creating the JAAS Login Context");     LoginContext loginContext = new LoginContext("Client-JBossAtWorkAuth",                                                  myCallbackHandler );     // Login     System.out.println("Logging in as user [" + userName + "]");     lc.login(  );     // Protected code goes here. } catch (LoginException le) {     System.out.println(le.getMessage(  )); } 

We've now written the core client code and the CallbackHandler, but there's still a little more work to do before we can run the client. We need to take the following steps:

  • Configure a client-side LoginModule.

  • Create a J2SE Security file.

  • Set up the Client's CLASSPATH.

C.2.2. Client-Side LoginModule Configuration

We have to configure a client-side LoginModule in Example C-4 so the client application can instantiate a LoginContext.

Example C-4. client-auth.conf
 Client-JBossAtWorkAuth {     org.jboss.security.ClientLoginModule required; }; 

When called by the client application, the LoginContext's constructor reads this LoginModule Configuration file to set up a JBoss-specific JAAS LoginModule that communicates with the JBoss server. The application then uses the LoginContext to log on to the JBoss server using JAAS.

C.2.3. J2SE Security Policy File

The Security Policy File in Example C-5 gives the client the privileges it needs to use the JAAS API.

Example C-5. security.policy
 grant codeBase "file:.${/}-" {   permission javax.security.auth.AuthPermission "createLoginContext";   permission javax.security.auth.AuthPermission "doAs";   permission javax.security.auth.AuthPermission "doAsPrivileged";   permission javax.security.auth.AuthPermission "modifyPrincipals";   permission javax.security.auth.AuthPermission "getSubject";   java.util.PropertyPermission "read";   java.security.auth.debug "read"; }; 

The javax.security.auth.AuthPermission settings in this file grant permissions to:

  • Create a LoginContext.

  • Call Subject.doAs( ) and doAsPrivileged( ) so the client can access protected code.

  • Allow a CallbackHandler to modify Principals.

  • Enable the client to get the Subject from the LoginContext.

The java.util.PropertyPermission setting enables the client to read Properties files, and the java.security.auth.debug setting enables the client to read the java.security.auth.debug System propertysee the next section for details.

C.2.4. Setting the Client CLASSPATH

The client requires the following CLASSPATH settings to run properly:

 java -classpath.;$JBOSS_HOME/client/jbosssx-client.jar \ -Djava.security.manager \ -Djava.security.policy="security.policy" \ -Djava.security.auth.policy="security.policy" \ -Djava.security.auth.login.config="client-auth.conf" \ -Djava.security.auth.debug="all" com.jbossatwork.client.JaasClient 

The jbosssx-client.jar contains the JBoss JAAS client-side classes, and the java.security.manager System property tells the JVM to use a security policy file. The java.security.policy and java.security.auth.policy System properties tell the Java Security Manager to use our security policy file, security.policy. The java.security.auth.login.config System property tells the Java Security Manager to use our client-side LoginModule Configuration file, client-auth.conf.

To check for any client-side configuration problems, we turn on JAAS debug options by specifying the java.security.auth.debug System Property. Here are some of the valid values for java.security.auth.debug:


all

Turn on all JAAS debugging.


logincontext

Enable LoginContext debugging.


policy

Configure access control policy debugging.

We're setting java.security.auth.debug to all so we can see everything. You can turn this setting off later on if you'd like.



JBoss at Work. A Practical Guide
JBoss at Work: A Practical Guide
ISBN: 0596007345
EAN: 2147483647
Year: 2004
Pages: 197

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net