friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaha_5.4.0.1/jaaswork.htm

153 lines
8.3 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Details: How HelloWorld for Java Authentication and Authorization Service works" />
<meta name="DC.Relation" scheme="URI" content="jaashllo.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="jaaswork" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Details: How HelloWorld for Java Authentication and Authorization Service
works</title>
</head>
<body id="jaaswork"><a name="jaaswork"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Details: How HelloWorld for Java Authentication and Authorization Service
works</h1>
<div><p>This document takes a closer look at how <strong>HelloWorld</strong> for Java™ Authentication
and Authorization Service (JAAS) works. This information should be considered
a replacement for the <strong>HelloWorld</strong> section of the <a href="api.htm">API
Developers Guide</a>. The source code, policy, and configuration files
are the same as those in the API Developers Guide. There are, however, some
aspects that are unique to the iSeries™ server.</p>
<div class="note"><span class="notetitle">Note:</span> By using the
code examples, you agree to the terms of the <a href="codedisclaimer.htm">Code license and disclaimer information</a>.</div>
<p><strong>Configuration and policy files</strong></p>
<p>The configuration file, <strong>jaas.config</strong>, contains one entry:</p>
<pre>helloWorld {
com.ibm.security.HWLoginModule required debug=true;
};</pre>
<p>The test case includes only one LoginModule. When running the HelloWorld
application, you can experiment by changing the LoginModuleControlFlag (required,
requisite, sufficient, optional) and deleting the debug flag. If more LoginModules
are available for testing, then you can alter this configuration and experiment
with multiple LoginModules. </p>
<p>The Java 2 policy file, <strong>java2.policy</strong>, contains one
permission block:</p>
<pre> grant {
permission javax.security.auth.AuthPermission "createLoginContext";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "doAsPrivileged";
};</pre>
<p> The three permissions are required because the HelloWorld application
does the following: </p>
<ol><li>Creates a LoginContext object.</li>
<li>Changes the Principals of the the authenticated Subject.</li>
<li>Calls the doAsPrivileged method of the Subject class.</li>
</ol>
<p>The JAAS policy file, <strong>jaas.policy</strong>, also contains one permission
block:</p>
<pre> grant Principal com.ibm.security.HWPrincipal "bob" {
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "user.home", "read";
permission java.io.FilePermission "foo.txt", "read";
};</pre>
<p> The three permissions are initially granted to an HWPrincipal named "bob".
The actual Principal added to the authenticated Subject is the user name used
during the login process. </p>
<p>Here is the action code from HelloWorld with the three system calls (the
reason for the required permissions) in bold:</p>
<pre> Subject.doAsPrivileged(lc.getSubject(), new PrivilegedAction() {
public Object run() {
System.out.println("\nYour java.home property: "
<strong>+System.getProperty("java.home")</strong>);
System.out.println("\nYour user.home property: "
<strong>+System.getProperty("user.home"))</strong>;
File f = new File("foo.txt");
System.out.print("\nfoo.txt does ");
if (<strong>!f.exists()</strong>) System.out.print("not ");
System.out.println("exist in your current directory");
System.out.println("\nOh, by the way ...");
try {
Thread.currentThread().sleep(2000);
} catch (Exception e) {
// ignore
}
System.out.println("\n\nHello World!\n");
return null;
}
}, null);</pre>
<p> When running the HelloWorld program, use various user names and alter
jaas.policy accordingly. There should not be a need to alter java2.policy.
Also, create a file called foo.txt in the test directory to test the last
system call and confirm that the correct level of access is granted to that
file. </p>
<p><strong>Examine HelloWorld source files</strong></p>
<p>The LoginModule class, HWLoginModule, simply authenticates any user who
enters the correct password (case sensitive with space):</p>
<ul><li><strong>Go JAAS</strong></li>
</ul>
<p> If running with a security manager, you must enter user 'bob' for all
of the access permissions to succeed. </p>
<p>The HelloWorld application permits users three attempts to do so. When
Go JAAS is correctly entered, an HWPrincipal object with a name equal the
the user name is added to the authenticated Subject.</p>
<p>The Principal class, HWPrincipal, represents a Principal based on the user
name that is entered. This name is important when granting permissions to
authenticated Subjects.</p>
<p>The main application, HelloWorld, first creates a LoginContext based on
a configuration entry with the name helloWorld. Callbacks are used to retrieve
user input. Look at the MyCallbackHandler class located in the HelloWorld.java
file to see this process. Here is an excerpt from the source code:</p>
<pre> LoginContext lc = null;
try {
lc = new LoginContext("helloWorld", new MyCallbackHandler());
} catch (LoginException le) {
le.printStackTrace();
System.exit(-1);
}</pre>
<p> The user enters a user name and password (up to three times) and if Go
JAAS is entered as the password, then the Subject is authenticated (HWLoginModule
adds a HWPrincipal to the Subject). Work is then performed as the authenticated
Subject. </p>
<p>If the policy files are not found, a <strong>SecurityException</strong> is thrown.
Otherwise, information concerning your java.home and user.home properties
is displayed. Also, the existence of a file called foo.txt in your test directory
is checked. Finally, the ubiquitous "Hello World" message is displayed.</p>
<p><strong>Having fun with HelloWorld</strong></p>
<p>Rerun HelloWorld as many times as you like. Here is a list of some of the
things that you might want to try:</p>
<ul><li>Vary the user name and passwords entered</li>
<li>Change the configuration file entries</li>
<li>Change the policy file permissions</li>
<li>Add additional LoginModules to the helloWorld configuration entry</li>
<li>Add code base fields to the policy files</li>
<li>Run the program without a SecurityManager to see how it works if you run
into problems.</li>
</ul>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="jaashllo.htm" title="This information looks at how HelloWorld for Java Authentication and Authorization Service (JAAS) is compiled and run on an iSeries server.">Compile and run HelloWorld with Java Authentication and Authorization Service on an iSeries server</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink