ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaha_5.4.0.1/rzahajgssjaasperm.htm

108 lines
6.8 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="JAAS permission checks" />
<meta name="abstract" content="IBM JGSS performs runtime permission checks at the time the JAAS-enabled program uses credentials and accesses services. You can disable this optional JAAS feature by setting the Java property avax.security.auth.useSubjectCredsOnly to false. Moreover, JGSS performs permission checks only when the application runs with a security manager." />
<meta name="description" content="IBM JGSS performs runtime permission checks at the time the JAAS-enabled program uses credentials and accesses services. You can disable this optional JAAS feature by setting the Java property avax.security.auth.useSubjectCredsOnly to false. Moreover, JGSS performs permission checks only when the application runs with a security manager." />
<meta name="DC.Relation" scheme="URI" content="rzahajgsscfgsecmgr.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahajgssjvmperm.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahajgssjaasperm" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>JAAS permission checks</title>
</head>
<body id="rzahajgssjaasperm"><a name="rzahajgssjaasperm"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">JAAS permission checks</h1>
<div><p>IBM<sup>®</sup> JGSS
performs runtime permission checks at the time the JAAS-enabled program uses
credentials and accesses services. You can disable this optional JAAS feature
by setting the Java™ property avax.security.auth.useSubjectCredsOnly
to false. Moreover, JGSS performs permission checks only when the application
runs with a security manager.</p>
<p>JGSS performs permission checks against the Java policy that is in effect for the current
access control context. JGSS performs the following specific permission checks:</p>
<ul><li>javax.security.auth.kerberos.DelegationPermission</li>
<li>javax.security.auth.kerberos.ServicePermission</li>
</ul>
<div class="section"><h4 class="sectiontitle">DelegationPermission check</h4><p>The DelegationPermission
allows the security policy to control the use of the ticket forwarding and
proxying features of Kerberos. Using these features, a client can allow a
service to act on behalf of the client.</p>
<p>DelegationPermission takes two
arguments, in the following order:</p>
<ol><li>The subordinate principal, which is the name of the service principal
that acts on behalf of, and under the authority of, the client.</li>
<li> The name of the service that the client wants to allow the subordinate
principal to use.</li>
</ol>
<p><strong>Example: Using the DelegationPermission check</strong></p>
<p>In the
following example, superSecureServer is the subordinate principal and krbtgt/REALM.IBM.COM@REALM.IBM.COM
is the service that we want to allow superSecureServer to use on behalf of
the client. In this case, the service is the ticket-granting ticket for the
client, which means that superSecureServer can get a ticket for any service
on behalf of the client.</p>
<pre> permission javax.security.auth.kerberos.DelegationPermission
"\"superSecureServer/host.ibm.com@REALM.IBM.COM\"
\"krbtgt/REALM.IBM.COM@REALM.IBM.COM\"";</pre>
<p>In the previous
example, DelegationPermission grants the client permission to get a new ticket-granting
ticket from the Key Distribution Center (KDC) that only superSecureServer
can use. After the client has sent the new ticket-granting ticket to superSecureServer,
superSecureServer has the ability to act on behalf of the client. </p>
<p>The
following example enables the client to get a new ticket that allows superSecureServer
to access only the ftp service on behalf of the client:</p>
<pre> permission javax.security.auth.kerberos.DelegationPermission
"\"superSecureServer/host.ibm.com@REALM.IBM.COM\"
\"ftp/ftp.ibm.com@REALM.IBM.COM\"";</pre>
<p>For
more information, see the javax.security.auth.kerberos.DelegationPermission
class in the <a href="http://java.sun.com/j2se/1.4/docs/index.html" target="_blank">J2SDK documentation</a> on the Sun Web site.</p>
</div>
<div class="section"><h4 class="sectiontitle">ServicePermission check</h4><p>ServicePermission checks
restrict the use of credentials for context initiation and acceptance. A context
initiator must have permission to initiate a context. Likewise, a context
acceptor must have permission to accept a context.</p>
<p><strong>Example: Using
the ServicePermission check</strong></p>
<p>The following example allows the client
side to initiate a context with the tp service by granting permission to the
client:</p>
<pre> permission javax.security.auth.kerberos.ServicePermission
"ftp/host.ibm.com@REALM.IBM.COM", "initiate";</pre>
<p>The
following example allows the server side to access and use the secret key
or the ftp service by granting permission to the server:</p>
<pre> permission javax.security.auth.kerberos.ServicePermission
"ftp/host.ibm.com@REALM.IBM.COM", "accept";</pre>
<p>For more information, see the javax.security.auth.kerberos.ServicePermission
class in the <a href="http://java.sun.com/j2se/1.4/docs/index.html" target="_blank">J2SDK documentation</a> on the Sun Web site.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahajgsscfgsecmgr.htm" title="If you are running your JGSS application with a Java security manager enabled, you need to ensure that your application and JGSS have the necessary permissions.">Using a security manager</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzahajgssjvmperm.htm">JVM permissions</a></div>
</div>
</div>
</body>
</html>