Just wanted to one thing which is not clear from the example :
-The method changeJVMEncoding(Subject subject).
As i can see that the method is creating a anonymous inner class and declaring the method run, it is protecting the System.setProperty() method by using the JAAS framework. Just wanted to ask that is there a way by which i can protect the System.setProperty() method itself instead of putting it in an authenticated wrapper? Does JAAS provide something of this sort?
Rohit: is there a way by which i can protect the System.setProperty() method itself instead of putting it in an authenticated wrapper?
As Rahul has mentioned in his article:
There are two sets of interesting methods - doAs and doAsPrivileged. The main purpose of these is to associate the authenticated subject with the the current AccessControlContext.
The only thing that code is doing is asking JAAS to check permissions for the user identity denoted by the subject. Since, the subject is not automatically associated with the call stack, some piece of code has to tell JAAS as to who is the user who is trying to access this piece of code.
The actual permission check is done inside the method System.setProperty().
Hope this clears your doubt. [ July 31, 2008: Message edited by: Nitesh Kant ]