Eric Stadtherr

Greenhorn
+ Follow
since Sep 27, 2006
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Eric Stadtherr

bump... has anyone implemented a solution for this kind of issue?
17 years ago
I am writing a set of applications (individual Java processes running in their own VM's) that all require authorization based on user identity (a login and password that will be distinct from the operating system login and password) before performing certain functions. There is one application that starts first, within which I am creating a LoginContext, presenting a "username/password" dialog, and then authenticating against the username/password provided by the user (using my own LoginModule as configured in the LoginContext config). This establishes the user's Subject and Principals within JAAS. Later, this application needs to start the other applications (using the Runtime.exec() method). These other applications need to authorize different actions performed by the user (using the AccessController and Permission objects in JAAS). I'd like the JAAS credentials (Subject and Permissions) that were established in the original application to be available to the other applications without forcing the user to type their username and password into each application.

This resembles a Single SignOn architecture, but there is no web server or other central place to hold onto the credentials.

I think you were assuming that I was talking about the UID that owns the Java process within the OS, but that's almost irrelevant in this case. I need the distinct identity/credentials established by JAAS and my own LoginModule to be propagated to the child processes, not just the OS process owner.

Does that help?
-Eric
17 years ago
I have a Java application that requires a user to log in, at which time the user is authenticated using the standard JAAS LoginContext. This initial application needs to start a set of child processes (using Runtime.exec()). These child processes need to inherit the user-based credentials of the initial application, but I don't want the user to have to type their username and password for every child process. Is there a secure way for the child processes to inherit the authentication results from the parent process? I've thought about command line arguments, environment variables, and socket connections back to the parent, but they all expose a vulnerability wherein a malicious process could obtain those credentials. Has anyone else solved this issue?

Thanks!
-Eric
17 years ago