I am writing a set of applications (individual Java processes running in their own VM's) that all require authorization based on user identity (a login and password that will be distinct from the operating system login and password) before performing certain functions. There is one application that starts first, within which I am creating a LoginContext, presenting a "username/password" dialog, and then authenticating against the username/password provided by the user (using my own LoginModule as configured in the LoginContext config). This establishes the user's Subject and Principals within JAAS. Later, this application needs to start the other applications (using the Runtime.exec() method). These other applications need to authorize different actions performed by the user (using the AccessController and Permission objects in JAAS). I'd like the JAAS credentials (Subject and Permissions) that were established in the original application to be available to the other applications without forcing the user to type their username and password into each application.
This resembles a Single SignOn architecture, but there is no web server or other central place to hold onto the credentials.
I think you were assuming that I was talking about the UID that owns the Java process within the OS, but that's almost irrelevant in this case. I need the distinct identity/credentials established by JAAS and my own LoginModule to be propagated to the child processes, not just the OS process owner.
Does that help?
-Eric