Consider Using JAAS for Authorization

Posted by Serge Truth on August 9, 2011 at 11:07 AM

AuthorizationApplies to

Applications written using Servlets or JSP.

What to Do

Consider using Java Authentication and Authorization Services for authorization.

Why

As part of Java's security model, JAAS is proven to work with stand-alone and web-based applications. JAAS is fully integrated into the Java platform and requires minimal overhead when deploying within stand-alone and web-based applications.

When

If your application uses access control and authorizes its users to determine which roles can gain access to which resources, then consider using JAAS rather than devoting resources to creating your own design.

How

To authorize using JAAS:

  1. Create a JAAS policy. The JAAS policy stores the rights associated with the different types of users. It is loaded into the Java Virtual Machine (JVM) by using the -Djava.security.auth.policy flag when loading the JVM instance that hosts your application. The JAAS policy can be created using a typical text editor or the Java Policy Tool. An example policy file looks like:

    grant Principal application.auth.UserToken "joe"
    {
    permission java.security.SecurityPermission "AccessApp";
    };

    To provide extra flexibility in managing access controls, JAAS allows an application to append additional permissions to the current JAAS policy as well as to fully modify the JAAS policy during runtime.

    • Appending to the JAAS policy: To append additional permissions, the application component that is responsible for modifying the policy must have a getPolicy permission granted within the application's security policy. 

      Example of appending additional permissions to a given user:

      CodeSigner[] csign = null;
      CodeSource csource = new CodeSource(null, csign);
      Principal[] principals = new Principal[1];
      principals[0] = new application.auth.UserToken("joe");
      ProtectionDomain pDomain = new ProtectionDomain(csource, null, null, principals);
      java.security.Policy policy = java.security.Policy.getPolicy();
      PermissionCollection permCollect = policy.getPermissions(pDomain);
      SecurityPermission secPerm = new SecurityPermission("ModifyUser");
      permCollect.add(secPerm);
    • Amending the JAAS policy: To amend the policy, the application component responsible for modifying the policy must have a setPolicy permission granted within the application's security policy. Example:

      java.security.Policy policy = new ApplicationPolicy();

      // Add the appropriate permissions

      java.security.Policy.setPolicy(policy);

      Note that the ApplicationPolicy class is a custom implementation of Java's abstract Policy class. For more information, please consult the documentation for Policy Class in the Java SDK.

  2. Implement the PrivilegedExceptionAction. The PrivilegedExceptionAction invokes the authorization process. Using the Java Security Manager, the application verifies whether the current user is allowed to perform the desired task. Example:

    import java.security.*;
    import javax.security.auth.*;
    public final class AuthException implements PrivilegedExceptionAction
    {
    private String name;
    public AuthException(String name)
    {
    // Set the name of the requested action
    this.name = name;
    }
    public Object run()
    {
    Permission perm = new SecurityPermission(name);
    SecurityManager secMan = System.getSecurityManager();
    if(secMan == null)
    {
    secMan = new SecurityManager();
    }
    secMan.checkPermission(perm);
    return null;
    }
    }
  3. Enforce the JAAS policy. Because JAAS is an entity-oriented model, it requires the impersonation of users when performing authorization. As such, the application impersonates the user when trying to perform a given task. If the user does not have sufficient permissions, the Java Security Manager will throw a security exception. Example:

    PrivilegedExceptionAction action = new AuthException("NameOfAction");
    Subject.doAsPrivileged(subject, action, null);

Topics: developer guidance, application security

Serge Truth

Written by Serge Truth

Serge is a Content Lead here at Security Innovation. He is an IT and Information Security professional, certified by the Committee on National Security Systems Instruction.