108 lines
6.8 KiB
HTML
108 lines
6.8 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
|
<!DOCTYPE html
|
||
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
|
<html lang="en-us" xml:lang="en-us">
|
||
|
|
<head>
|
||
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
|
<meta name="security" content="public" />
|
||
|
|
<meta name="Robots" content="index,follow" />
|
||
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
|
<meta name="DC.Type" content="concept" />
|
||
|
|
<meta name="DC.Title" content="JAAS permission checks" />
|
||
|
|
<meta name="abstract" content="IBM JGSS performs runtime permission checks at the time the JAAS-enabled program uses credentials and accesses services. You can disable this optional JAAS feature by setting the Java property avax.security.auth.useSubjectCredsOnly to false. Moreover, JGSS performs permission checks only when the application runs with a security manager." />
|
||
|
|
<meta name="description" content="IBM JGSS performs runtime permission checks at the time the JAAS-enabled program uses credentials and accesses services. You can disable this optional JAAS feature by setting the Java property avax.security.auth.useSubjectCredsOnly to false. Moreover, JGSS performs permission checks only when the application runs with a security manager." />
|
||
|
|
<meta name="DC.Relation" scheme="URI" content="rzahajgsscfgsecmgr.htm" />
|
||
|
|
<meta name="DC.Relation" scheme="URI" content="rzahajgssjvmperm.htm" />
|
||
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
||
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
||
|
|
<meta name="DC.Format" content="XHTML" />
|
||
|
|
<meta name="DC.Identifier" content="rzahajgssjaasperm" />
|
||
|
|
<meta name="DC.Language" content="en-us" />
|
||
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
|
<!-- US Government Users Restricted Rights -->
|
||
|
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
|
<title>JAAS permission checks</title>
|
||
|
|
</head>
|
||
|
|
<body id="rzahajgssjaasperm"><a name="rzahajgssjaasperm"><!-- --></a>
|
||
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
<h1 class="topictitle1">JAAS permission checks</h1>
|
||
|
|
<div><p>IBM<sup>®</sup> JGSS
|
||
|
|
performs runtime permission checks at the time the JAAS-enabled program uses
|
||
|
|
credentials and accesses services. You can disable this optional JAAS feature
|
||
|
|
by setting the Java™ property avax.security.auth.useSubjectCredsOnly
|
||
|
|
to false. Moreover, JGSS performs permission checks only when the application
|
||
|
|
runs with a security manager.</p>
|
||
|
|
<p>JGSS performs permission checks against the Java policy that is in effect for the current
|
||
|
|
access control context. JGSS performs the following specific permission checks:</p>
|
||
|
|
<ul><li>javax.security.auth.kerberos.DelegationPermission</li>
|
||
|
|
<li>javax.security.auth.kerberos.ServicePermission</li>
|
||
|
|
</ul>
|
||
|
|
<div class="section"><h4 class="sectiontitle">DelegationPermission check</h4><p>The DelegationPermission
|
||
|
|
allows the security policy to control the use of the ticket forwarding and
|
||
|
|
proxying features of Kerberos. Using these features, a client can allow a
|
||
|
|
service to act on behalf of the client.</p>
|
||
|
|
<p>DelegationPermission takes two
|
||
|
|
arguments, in the following order:</p>
|
||
|
|
<ol><li>The subordinate principal, which is the name of the service principal
|
||
|
|
that acts on behalf of, and under the authority of, the client.</li>
|
||
|
|
<li> The name of the service that the client wants to allow the subordinate
|
||
|
|
principal to use.</li>
|
||
|
|
</ol>
|
||
|
|
<p><strong>Example: Using the DelegationPermission check</strong></p>
|
||
|
|
<p>In the
|
||
|
|
following example, superSecureServer is the subordinate principal and krbtgt/REALM.IBM.COM@REALM.IBM.COM
|
||
|
|
is the service that we want to allow superSecureServer to use on behalf of
|
||
|
|
the client. In this case, the service is the ticket-granting ticket for the
|
||
|
|
client, which means that superSecureServer can get a ticket for any service
|
||
|
|
on behalf of the client.</p>
|
||
|
|
<pre> permission javax.security.auth.kerberos.DelegationPermission
|
||
|
|
"\"superSecureServer/host.ibm.com@REALM.IBM.COM\"
|
||
|
|
\"krbtgt/REALM.IBM.COM@REALM.IBM.COM\"";</pre>
|
||
|
|
<p>In the previous
|
||
|
|
example, DelegationPermission grants the client permission to get a new ticket-granting
|
||
|
|
ticket from the Key Distribution Center (KDC) that only superSecureServer
|
||
|
|
can use. After the client has sent the new ticket-granting ticket to superSecureServer,
|
||
|
|
superSecureServer has the ability to act on behalf of the client. </p>
|
||
|
|
<p>The
|
||
|
|
following example enables the client to get a new ticket that allows superSecureServer
|
||
|
|
to access only the ftp service on behalf of the client:</p>
|
||
|
|
<pre> permission javax.security.auth.kerberos.DelegationPermission
|
||
|
|
"\"superSecureServer/host.ibm.com@REALM.IBM.COM\"
|
||
|
|
\"ftp/ftp.ibm.com@REALM.IBM.COM\"";</pre>
|
||
|
|
<p>For
|
||
|
|
more information, see the javax.security.auth.kerberos.DelegationPermission
|
||
|
|
class in the <a href="http://java.sun.com/j2se/1.4/docs/index.html" target="_blank">J2SDK documentation</a> on the Sun Web site.</p>
|
||
|
|
</div>
|
||
|
|
<div class="section"><h4 class="sectiontitle">ServicePermission check</h4><p>ServicePermission checks
|
||
|
|
restrict the use of credentials for context initiation and acceptance. A context
|
||
|
|
initiator must have permission to initiate a context. Likewise, a context
|
||
|
|
acceptor must have permission to accept a context.</p>
|
||
|
|
<p><strong>Example: Using
|
||
|
|
the ServicePermission check</strong></p>
|
||
|
|
<p>The following example allows the client
|
||
|
|
side to initiate a context with the tp service by granting permission to the
|
||
|
|
client:</p>
|
||
|
|
<pre> permission javax.security.auth.kerberos.ServicePermission
|
||
|
|
"ftp/host.ibm.com@REALM.IBM.COM", "initiate";</pre>
|
||
|
|
<p>The
|
||
|
|
following example allows the server side to access and use the secret key
|
||
|
|
or the ftp service by granting permission to the server:</p>
|
||
|
|
<pre> permission javax.security.auth.kerberos.ServicePermission
|
||
|
|
"ftp/host.ibm.com@REALM.IBM.COM", "accept";</pre>
|
||
|
|
<p>For more information, see the javax.security.auth.kerberos.ServicePermission
|
||
|
|
class in the <a href="http://java.sun.com/j2se/1.4/docs/index.html" target="_blank">J2SDK documentation</a> on the Sun Web site.</p>
|
||
|
|
</div>
|
||
|
|
</div>
|
||
|
|
<div>
|
||
|
|
<div class="familylinks">
|
||
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahajgsscfgsecmgr.htm" title="If you are running your JGSS application with a Java security manager enabled, you need to ensure that your application and JGSS have the necessary permissions.">Using a security manager</a></div>
|
||
|
|
</div>
|
||
|
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
|
<div><a href="rzahajgssjvmperm.htm">JVM permissions</a></div>
|
||
|
|
</div>
|
||
|
|
</div>
|
||
|
|
</body>
|
||
|
|
</html>
|