Authorization using JAAS

Hello All,

How can we check authorization using the JAAS policy file? I'm working on a Swing-based desktop application and need to restrict access to some screens, based on the user role.

Which method can be used to check against the policy file, if a particular role has access to a form?

The policy file contains roles and permissions, as follows:

grant codeBase ""

Principal java.security.Principal "supervisor",
Principal java.security.Principal "admin" {

permission java.security.AllPermission "us.md.state.courts.ui.form1" "read";
permission java.security.AllPermission "us.md.state.courts.ui.form2" "read";
permission java.security.AllPermission "us.md.state.courts.ui.form2" "read";
};

Could someone please give an idea?

Thanks in advance,
Jenny

Does not look like the policy file you have supplied is authentic. It has granted all permission and that too with a name and action. All permission does not honour a name and action. It means absolutely all permissions.
However, in your case you should define a new permission of your own that will have actions depicting read/update types on screen names.
Create your principal that holds the role name.
Then use the following code
(If you have a subject after authentication you can use the same instead of creating one as in the below code)

Hi Nitesh,

So how do i create a principal and set the name and actions if that polcy file format is wrong.

No, the format of the property file is correct but the entries makes no sense.
Typically for the code posted the following should be an entry in the property file:

grant principal security.MyPrincipal "nitesh" {
permission security.MyPermission "mine" , "read";
};

Policy file only tells you what principal/codesource have what permissions. It does not create principals and permissions for you.
You should create a permission instance and then check with the AccessController whether the subject has the required permissions(refer code sample.) The AccessController refers to the policy file and does the check for you.

you can go through the JAAS tutorial on the sun site, that will help.

Thanks Nithesh. It was a very helpful information.

Jenny

Hi Nitesh,

So you say security.Mypermission is a user defined class where he can set the permissions for a file/directory.

Can you post a sample Myprincipal and Mypermission file?

If the permission you want to check is read/write/execute/delete on a file/directory then you should use java.io.FilePermission.
However, if you need some permissions specific to your application you can create a new permission.

Following is a sample implementation (Disclaimer: This doesnt do anything logical

)

package security;
 
import java.security.Permission;
 
public class MyPermission extends Permission {
    private String action;
    private String name;
 
    /**
     * Constructs a permission with the specified name.
     *
     * @param name name of the Permission object being created.
     */
    public MyPermission(String name, String action) {
        super(name);
        this.name = name;
        this.action = action;
    }
 
    public boolean implies(Permission permission) {
        return name.equals(permission.getName()) && action.equals(permission.getActions()); 
    }
 
    public boolean equals(Object o) {
        if(this == o) {
            return true;
        }
        if(o == null || getClass() != o.getClass()) {
            return false;
        }
 
        final MyPermission that = (MyPermission) o;
 
        return !(action != null ? !action.equals(that.action) : that.action != null);
 
    }
 
    public int hashCode() {
        return (action != null ? action.hashCode() : 0);
    }
 
    public String getActions() {
        return action;
    }
}

Hi,

Can you post a sample policy file if you got.

Hi,

This is a policy file created by me...

grant principal security.MyPrincipal "ADMIN" {
permission security.WPermission "uiScreen" , "read,write";
};

My doubt is How to send the screen name "uiScreen" to permission class ?

Nitesh,

In my case i'm getting role(principal) after authentication, form name(it may be a class) as i'm using a desktop application. i just want to check the permission by checking policy file. the arguments are role and the name of class. but i need boolean value as return. would the code that you have posted work in my case.

Hi Jibin Abraham,
I think there is a disconnect somewhere.
See there are two aspects of the whole policy file stuff.
The policy file is defined statically and in your case it should have entries for all the screens you want to protect.
At runtime, you will check for permissions on one of the screens defined statically(in policy file), using AccessController.checkPermission() passing the permission object containing the name of the screen and the action to check. This will be done for the authenticated resource(subject).

Hi Nitesh,

Thanks for the reply.

Originally posted by Nitesh Kant:

The policy file is defined statically and in your case it should have entries for all the screens you want to protect.
At runtime, you will check for permissions on one of the screens defined statically(in policy file), using AccessController.checkPermission() passing the permission object containing the name of the screen and the action to check. This will be done for the authenticated resource(subject).

Do you have any examplefor this ?