lecture notes

licoricebedsΑσφάλεια

22 Φεβ 2014 (πριν από 3 χρόνια και 6 μήνες)

259 εμφανίσεις

JAVA AUTHENTICATION AND
AUTHORIZATION SERVICE
(JAAS)


Authentication and Authorization



An
authentication

system is how you identify
yourself to the computer.


The goal behind an authentication system is to
verify that the user is actually who they say they
are.


There are many ways of authenticating a user.
Any combination of the following are good
examples.


Password based authentication


Device based authentication


Biometric Authentication


Authentication and Authorization


Once the system knows
who

the user is
through authentication,
authorization

is how
the system decides
what

the user can do.


initiate or progress a transaction, process or
activity


Authorization

is the process of granting
permission to someone or something



in order to perform given actions.


This is where you say that user x has permission to
access, say, a file or directory.

Authentication and Authorization


An example
: A

web site that may have a number pages
protected by a
username/password
mechanism.


Any user with valid credentials will be able to gain access to these pages
(
authentication
),


B
ut some of the users may be employees and have access to additional
information on other pages not accessible by ordinary users (
authorization
).



Authentication and Authorization are two completely separate
acts within the administration scheme.


A user may be authenticated but have no authorization.


Authentication may be performed by an entity completely
separate of the area where authorization for access may reside.


For example, I may use SecureID to authenticate a user to access routers,



however the authorization for the router they are allowed to access resides
in the router itself where the SecureID server is external of the router.


Using JAAS

A
uthentication


Typically involves the following steps:


Create a
LoginContext


Optionally pass a
CallbackHandler

to the
LoginContext
, for
gathering or processing
authentication
data


Perform authentication by calling the
LoginContext's login()

method


Perform privileged actions using the returned Subject
(assuming login succeeds)

Here's a minimal example:



LoginContext

lc

= new
LoginContext

("
MyExample
");


try {


lc
.
login()
;


} catch (LoginException) {

// Authentication failed.


}


// Authentication successful, we can now continue.


// We can use the returned Subject if we like.





Subject
sub

= lc.getSubject();



Subject.doAs

(
sub
, new MyPrivilegedAction());



During i
nitialization
, the LoginContext finds the
configuration entry "
MyExample
" in a JAAS
configuration file (which
we

configured)
and



determine
s

which

LoginModules

to load


During
login,

the LoginContext calls each
LoginModule
's login() method


Each login() method performs the authentication or enlists a
CallbackHandler


The
CallbackHandler
uses one or more Callbacks
to interact with the user and gather input


A new

Subject
instance is populated with
authentication details such as
Principals

and
credentials


JAAS configuration

Java 2 Security Model



The ability to grant
specific permissions

to a
particular piece of code

about

accessing
specific resources
on the client,

depending on the
signer
of the code

and/or the
location
from which the code was

loaded.


JAAS classes and interfaces



Common


Subject,


Principal,


credential (credential is not any specific class, but can be any object)


Authentication


LoginContext,


LoginModule,


CallbackHandler,


Callback


Authorization


Policy,



AuthPermission,


PrivateCredentialPermission


Most of these classes and interfaces are in the
javax.security.auth

package's subpackages, with some prebuilt
implementations in the
com.sun.security.auth
package,
included only in J2SE 1.4.

Common

Interface I


The
Subject class

represents an authenticated
entity
:


an end
-
user or administrator,


a Web service, device,


another process.


The class contains three sets of security
information types:


Identities:

In the form of one or more Principals


Public credentials:

Such as name or public keys


Private credentials:

Like passwords or private keys


An Explanation of Common Classes:


A Subject may be any entity, such as a person or
service.


Once authenticated, a Subject is populated with
associated identities, or Principals.


A Subject may have many Principals.


For example, a person may have a name Principal ("Jane Doe")


and a Social Security Number Principal ("111
-
22
-
3333"), that
distinguish it from other Subjects.



The
getPrincipals()

method retrieves the
Principals
associated with a Subject.


The static method
doAs()

in
Subject

achieves the
effect of having an
action run

as the
subject
.


Based on whether this
action

is
authorized
, the action
completes successfully or generates an exception.

JAAS programming model


To authenticate and authorize a Subject, these steps are
performed
:



An application instantiates a LoginContext.


The LoginContext consults a
Configuration

file, along the lines
of ones discussed above, to load the LoginModules configured
for that application.


The application invokes the LoginContext's login() method.


The login() method invokes the loaded LoginModules. Each
LoginModule attempts to authenticate the Subject. Upon
success, LoginModules associate relevant Principals and
credentials with the Subject.


The LoginContext returns the authentication status to the
application.


If authentication succeeds, the application retrieves the
authenticated Subject from the LoginContext.


Upon successful authentication of a Subject, fine
-
grained
access controls can be placed upon that Subject by invoking
the Subject.doAs() methods. The permissions granted to that
Subject are configured in a JAAS policy.



The following code outline illustrates how application code uses
the JAAS framework:


// Instantiate a login context


LoginContext context = new LoginContext("name",
CallbackHandler);

// Authenticate the subject


context.login();

// Retrieve the authenticated subject


Subject subject = context.getSubject();


// Enforce Access Controls


Subject.doAs(subject, action);


To implement a new login module, follow these suggested steps:


Understand the authentication technology


Name the LoginModule implementation


Implement the abstract LoginModule method


ompile the LoginModule


Configure and test the LoginModule


Document and package the LoginModule implementation


static
doAs

method
in

the
S
ubject

class



When using JAAS authentication to authenticate a user, a
subject
is created to represent the authenticated user.


A
subject
is comprised of a set of
principals
,


where each principal represents an i
dentity
for that user.


We

can grant
permissions
in the
policy
to
specific principals
.


After the user has been authenticated, the application can
associate the subject with the current
access control

context.


For each subsequent security
-
checked operation,



T
he Java run time automatically determines


whether the
policy grants

the required

permission

only to a specific
principal
.


If so, the operation is allowed only if the subject associated with
the access control context contains the designated principal.

static
doAs

method
in

the
S
ubject

class


Associate a subject with the current access control
context,


by calling the static
doAs
method from the subject class,


passing it an authenticated subject

and

java.security.PrivilegedAction


or


java.security.PrivilegedExceptionAction.


The
doAs

method associates the provided
subject

with the current access control context
. Then;


invokes the
run
method from the action.



The
run
method implementation contains all the code
executed as the
specified subject
.


The action executes as the specified subject.

Subject.doAs

(
subject, new

java.security.PrivilegedAction()
{


Public
Object
run()
{


//
the subject object is associated with the context of the current execution
thread


java.security.AccessController.doPrivileged

(

new


java.security.PrivilegedAction()
{


public Object run()
{


// Subject was cut off from the current thread context

//Within t
he run method of a
doPrivileged
action block,


//

the subject object

is removed from the thread context



return null;

}


}
)
;


// Subject is associated with the current thread context



return null;


}


}
)
;




Since doPrivileged blocks can be placed anywhere along the
execution path and instrumented quite often in a server
environment,


the run
-
time behavior of a
doAs

action block becomes
difficult to manage.

Class java.security.AccessController


Documentation
changed

from old

to new


The
AccessController

class is used for access
control operations and decisions.


More specifically the AccessController class is
used for three purposes:


to decide whether an access to a critical system
resource is to be
allowed
or
denied
based on the
security policy currently in effect


to mark code as being
"privileged"



thus affecting
subsequent access

determinations


to obtain a
"snapshot"

of the current calling context


so access
-
control decisions from a different context can be
made with respect to the saved context.



Changed

Methods

in class

java.security.AccessController

Documentation changed

f
rom old

to new



Object

doPrivileged

(PrivilegedExceptionAction)


Performs the specified PrivilegedExceptionAction with
privileges enabled.


Object

d
oPrivileged

(PrivilegedExceptionAction,



AccessControlContext)


Performs the specified PrivilegedExceptionAction with
privileges enabled and restricted by the specified
AccessControlContext
.

public

Class Object



Class Object is the root of the class hierarchy.


Every class has Object as a superclass.


All objects, including arrays, implement the methods of
this class.


public
Object
()
constructor


public interface
Runnable


When an object implementing interface Runnable is used to create a
thread, starting the thread causes the object's run method to be called in
that separately executing thread.


public void
run
()


The Runnable interface should be implemented by any class whose
instances are intended to be executed by a thread. The class must
define a method of no arguments called run.


his interface is designed to provide a common protocol for objects that
wish to execute code while they are active


Common

Interface II


Principals

represent Subject identities.


They implement the
java.security.Principal
interface
(which predates JAAS) and
java.io.Serializable
.



A Subject's most important method is
getName(),

which returns an identity's string name.


Since a Subject instance contains an array of
Principals,


it can thus have multiple names.



Because a social security number, login ID, email
address, and so on, can all represent one user,
multiple identities prove common in the real world

Common

Interface II


The last element


credential
, is not a class or an
interface, but can be any object.


Credentials can include any authentication artifact,


such as a ticket, key, or password



specific security systems might require.


The Subject class maintains unique Sets of private
and public credentials,


which can be retrieved with methods such as


getPrivateCredentials() and


getPublicCrendentials().


These methods are more often used by security
subsystems than at the application layer.

Authentication: LoginContext



The

application layer uses
LoginContext
as its
primary class for authenticating Subjects.


LoginContext
also represents where JAAS's
dynamic pluggability comes into play,


because when you construct a LoginContext,


you specify a named configuration to load.


The
LoginContext

typically loads the
configuration information from a text file,



which in turn tells the LoginContext which LoginModules to
use during login.

Explanation of
Authentication
C
lasses


The LoginContext class
p
rovides the basic methods to
authenticate
Subject


The LoginContext class
also p
rovides a way to develop
an
application

independent of the underlying
authentication technology using a configuration file
.


Actual authentication occurs with a call to the
login()

method.


T
he
LoginModule

interface allows you to implement
various authentication technologies that can be plugged
under an application.



Its important methods include: login()
,
commit()
,
abort()
,

logout()


T
he
CallbackHandler

communicates with the user to
obtain authentication information using callbacks.


T
he abstract Policy class represents the system
-
wide
JAAS access
-
control policy.


LoginContext methods



login()
:
Performs login, a relatively complex
step that invokes all LoginModules specified
for this configuration.


If it succeeds, it creates an authenticated
Subject.


If it fails, it throws a LoginException.


getSubject()
:
Returns the authenticated
Subject


logout()
:
Logs out the authenticated Subject
and removes its Principals and credentials.

Authentication: LoginModule




LoginModule is the interface to specific
authentication mechanisms.


J2SE 1.4 ships with a set of ready
-
to
-
use
LoginModules,


JndiLoginModule
:

Verifies against a directory service
configured under JNDI (Java Naming and Directory
Interface)


Krb5LoginModule
:
Authenticates using Kerberos
protocols


NTLoginModule
:
Uses the current user's NT security
information to authenticate

LoginModule


Modules can be configured via configuration files. A
sample entry might look like:


Login1 {


sample.
SampleLoginModule

required


debug=true;

};



In this case, only one module performs the
authentication.


An attempt by Login1 to authenticate a Subject will
succeed if and only if the
SampleLoginModule

succeeds.


In th
at

code , required represents a

LoginModuleControlFlag

LoginModuleControlFlags


Required:

The login module must succeed. Regardless
of whether it succeeds or fails, however, authentication
still proceeds down the login module list.


Requisite:

The login module must succeed. If login
succeeds, authentication continues down. However, if it
fails, control returns immediately to the application.


Sufficient
:

The module doesn't have to succeed. If it
does succeed, control immediately returns to the
application.


Optional:

This login module doesn't have to succeed.
Whether it succeeds or fails, authentication still proceeds
down the login module list

Overall authentication


Overall authentication is governed by the individual
modules and their LoginModuleControlFlag entry
.


p

indicates pass,
f

indicates fail, and
*

indicates don't
care entries.

Module

Criterion

Pass/Fail

SampleLoginModule

Required

p

p p p f f f f

NTLoginModule

Sufficient

p f f f p f

SmartCard

Requisite

* p p f * p p f

Kerberos

Optional

* p f * * p f *

Overallauthentication

p p p f f f f f


Overall authentication for a stack
-
based
authentication policy


What is Kerberos?



A

network authentication protocol


P
rovide
s

strong authentication


for client/server applications


by using secret
-
key cryptography


created by MIT as a solution to network security
problems


uses strong cryptography


a client can prove its identity to a server (and vice versa) across an
insecure network connection.


After Kerberos
has been used by a
client and server

to
prove their identity,



all of their communications can also
be
encrypt
ed

to assure
the
privacy and data integrity

http://web.mit.edu/kerberos/dist/index.html


http://web.mit.edu/kerberos/kfw
-
2.6/kfw
-
2.6.1/relnotes.html




JAAS: Pluggable

authentication


JAAS authorization



Once the user executing the code has been
authenticated
, the JAAS
authorization component

works in conjunction with the existing Java 2
CodeSource
-
based access control model.


JAAS policy extends the Java 2 policy with the
relevant
Subject
-
based information
.


Therefore,
permissions

recognized and
understood
in Java 2


java.io.FilePermission
and
java.net.SocketPermission

are equally
understood and recognized by JAAS.



Although the JAAS security policy physically
resides separately from the existing Java 2 security
policy,


the two policies should be treated as one logical policy.




An extension to the Java 2 policy file
syntax





grant signedBy "alias", codeBase "URL",


principal
principalClass

"principalName",


principal
principalClass

"principalName",





{


permission Type "name "action",


signedBy "alias";


permission Type "name "action",


signedBy "alias";



....

};

A
n example entry:



grant
CodeBase

"http://foo.com",



Signedby

"foo",


Principal com.sun.security.auth.NTPrincipal "admin" {


permission java.io.FilePermission "c:/user/admin",
"read, write";


};

//
Notice that the policy file entries include a Principal entry, the
basis for user
-
based authentication.

JAAS classes



The JAAS classes and interfaces reside in the
following packages:


javax.security.auth


javax.security.auth.callback


javax.security.auth.login


javax.security.auth.spi



The classes and interfaces can be categorized as:


Common classes:


Subject

,
Principal
,
Credential


Authentication classes:

LoginContext
,
LoginModule interface
,
Callback
,
CallbackHandler


Authorization classes:


Policy
,
AuthPermission
,
PrivateCredentialPermission



Running the Sample Program with the
Login Utility


The JAAS 1.0 kit includes a
sample program

at

http://java.sun.com/j2se/1.4.2/docs/guide/secur
ity/jgss/tutorials/LoginSample.html#PF


To
run the sample
, follow all instructions at the
page above, and refer to the kit's policy files,
command lines, and other relevant material.


The
sample program

first instantiates a
LoginContext.


The LoginContext consults the login configuration, which in
this example points to a single module: SampleLoginModule.


The
SampleLoginModule
, loaded to perform the
authentication, prompts for a username and password.


Entering
"testUser
"

for the username and
"testPassword"

for
the password, the
SampleLoginModule

associates a
SamplePrincipal
(with "testUser" as its name) with the
current
Subject
, and then



executes the
SampleAction
as that

Subjec
t (by calling
Subject.doAs).



The
SampleAction
, a privileged action, attempts to
access two System properties (
java.home

and
user.home
), and also


attempts to access the file
foo.txt

in the current working
directory.


This process will succeed only for the appropriate users,
thereby accomplishing
user
-
based authentication