Java开发网 Java开发网
注册 | 登录 | 帮助 | 搜索 | 排行榜 | 发帖统计  

您没有登录

» Java开发网 » Java Security  

按打印兼容模式打印这个话题 打印话题    把这个话题寄给朋友 寄给朋友    该主题的所有更新都将Email到你的邮箱 订阅主题
flat modethreaded modego to previous topicgo to next topicgo to back
作者 在web上jaas的声明性授权,出措???
neweagle



发贴: 0
积分: 0
于 2003-08-06 11:25 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
jaas中授权问题??各位老大,现身拉
在web上做jaas的授权,可是老通不过,在命令下又可以,郁闷??
策略文件如下:
grant {
permission javax.security.auth.AuthPermission "createLoginContext";
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "getSubject";
};
/**grant codebase "file:/D:/JBuilder8/myjbproject/JaasDemo805/classes/jaas/JaasDemo.jar"**/
grant Principal jaas.PrincipalImpl "Brad" {
permission jaas.PersonnelPermission "access";
};

主要用到类:
package jaas;

import java.security.*;
import javax.security.auth.*;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
//
// This is the main program in the JAAS Example. It creates a Login Context,
// logs the user in based on the settings in the Login Configuration file,
// and calls two sensitive pieces of code, the first using programmatic
// authorization, and the second using declaritive authorization.
public class JAASExample {

static LoginContext lc = null;

public static void main( String[] args) {
//
// Create a login context
try {
lc = new LoginContext("JAASExample",
new UsernamePasswordCallbackHandler());
} catch (LoginException le) {
System.out.println( "Login Context Creation Error" );
System.exit(1);
}
//
// Login
try {
lc.login();
} catch (LoginException le) {
System.out.println( "\nOVERALL AUTHENTICATION FAILED\n" );
System.exit(1);
}
System.out.println( "\nOVERALL AUTHENTICATION SUCCEEDED\n" );
System.out.println( lc.getSubject() );
//
// Call the sensitive PayrollAction code, which uses programmatic
// authorization.
try {
Subject.doAs( lc.getSubject(), new PayrollAction() );
} catch (AccessControlException e) {
System.out.println( "Payroll Access DENIED" );
}
//
// Call the sensitive PersonnelAction code, which uses declarative
// authorization.
try {
System.out.println("start here");
Subject.doAsPrivileged( lc.getSubject(), new PersonnelAction(), null );

} catch (AccessControlException e) {
System.out.println( "Personnel Access DENIED" );
}
try {
lc.logout();
} catch (LoginException le) {
System.out.println( "Logout FAILED" );
System.exit(1);
}
System.exit(0);
}
}
×××××××××××××××PersonnelAction.java
package jaas;

import java.io.*;
import java.security.*;
//
// This class is a sensitive Personnel function that demonstrates
// the use of declarative authorization using the user defined
// permission PersonnelPermission, which throws an exception
// if it not granted
public class PersonnelAction implements PrivilegedAction {
public Object run() {

try{
AccessController.checkPermission(new PersonnelPermission("access"));
System.out.println( "Subject has Personnel access\n");
}catch(Exception e){
System.out.println("error:" +e.getMessage());
}

return new Integer(0);
}
}
××××××××××××PersonnelPermission.java
package jaas;

import java.security.*;
//
// Implement a user defined permission for access to the personnel
// code for this example
public class PersonnelPermission extends BasicPermission {

public PersonnelPermission(String name) {
super(name);
}

public PersonnelPermission(String name, String action) {
super(name);
}
}

系统报错为:
error:access denied (jaas.PersonnelPermission access)

请指教阿,各位老大???????


作者 Re:在web上jaas的声明性授权,出措??? [Re:neweagle]
menzy



版主


发贴: 754
积分: 113
于 2003-08-06 16:02 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
policy 文件的问题?
加上codebase试试看


作者 Re:在web上jaas的声明性授权,出措??? [Re:neweagle]
neweagle



发贴: 0
积分: 0
于 2003-08-06 16:12 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
加上了codebase
如:
有包名的jaas.policy
grant {
permission javax.security.auth.AuthPermission "createLoginContext";
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "getSubject";
};

grant codebase "file:/D:/JBuilder8/myjbproject/jaasSample/classes/jaas/jaasSample.jar",
Principal jaas.PrincipalImpl "larrye" {
permission jaas.PersonnelPermission "access";
};

没有包名的jaas.policy:
grant {
permission javax.security.auth.AuthPermission "createLoginContext";
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "getSubject";
};

grant Principal PrincipalImpl "Brad" {
permission PersonnelPermission "access";
};

我在命令下运行的是没有包名jaas的,是可以找到能授权成功,但是我用jdk1.4下面的工具policytool.exe查看这个没有包名的策略文件,提示警告:找不到PrimcipalImpl,PersonnelPermission这两个类,奇怪???

但我在jbuilder下面生成测试后,加了个包名jaas,验证可以,程序性授权成功,就是声明性授权不成功。
谢谢回复,谢谢


作者 Re:在web上jaas的声明性授权,出措??? [Re:neweagle]
jprobe



发贴: 0
积分: 0
于 2003-08-27 18:49 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
太多了,没有细看。
在WEB上,需要修改服务器的配置文件啊。如JBOSS里有一个login-config.xml专门用来设置jaas配置。我在项目中也成功设置了。

另外,请问,什么叫程序性授权,什么叫声明性授权?


作者 Re:在web上jaas的声明性授权,出措??? [Re:neweagle]
jsmile

Life is good



发贴: 127
积分: 52
于 2003-08-27 22:26 user profilesend a private message to usersend email to jsmilesearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
Declarative authorization can be performed by a system administrator, who configures the system's access (that is, declares who can access which applications in the system). With declarative authorization, user access privileges can be added, changed, or revoked without affecting the underlying application code.

Programmatic authorization uses Java application code to make authorization decisions. Programmatic authorization is necessary when authorization decisions require more complex logic and decisions, which are beyond the capabilities of declarative authorization. Since programmatic authorization is built into the application code, making programmatic authorization changes requires that some part of the application code be rewritten.


作者 Re:在web上jaas的声明性授权,出措??? [Re:neweagle]
richardluopeng





发贴: 122
积分: 32
于 2003-08-28 19:50 user profilesend a private message to usersend email to richardluopengsearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
程序性授权,什么叫声明性授权?

一个是硬编码,一个是申明


作者 Re:在web上jaas的声明性授权,出措??? [Re:neweagle]
floater

Java Jedi

总版主


发贴: 3233
积分: 421
于 2003-08-29 11:41 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
where is your command line jdk?

jbuilder is using jdk under its own dir.

"Any fool can write code that a computer can understand. Good programmers write code that humans can understand."
- Martin Fowler, Refactoring - Improving the Design of Existing Code
作者 Re:在web上jaas的声明性授权,出措??? [Re:neweagle]
jsmile

Life is good



发贴: 127
积分: 52
于 2003-08-29 22:30 user profilesend a private message to usersend email to jsmilesearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
Assume you already know how LoginModule, CallbackHandler and Permission works (Authentication). Here's the different code of two authorization types:
Declarative authorization:
class SomelAction implements PrivilegedAction
{
public Object run()
{
AccessController.checkPermission(new SomeDefinedPermission("xxx"));
// Perform tasks
return new Integer(0);
}
}

Programmatic authorization:
class SomeAction implements PrivilegedAction
{
public Object run()
{
AccessControlContext context = AccessController.getContext();
Subject subject = Subject.getSubject( context );

Set principals = subject.getPrincipals();
Iterator iterator = principals.iterator();
while (iterator.hasNext())
{
MyPrincipal principal = (MyPrincipal)iterator.next();
if (principal.getName().equals( "Some Pre-Defined Role"))
{
// Perform tasks
return new Integer(0);
}
}
throw new AccessControlException("Denied");
}
}


作者 Re:在web上jaas的声明性授权,出措??? [Re:neweagle]
jeez



发贴: 0
积分: 0
于 2003-09-01 17:36 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
web下面用绝对路径是不行的;其次是policy要设在你运行的jdk下面,可以用policyTool查看。


作者 Re:在web上jaas的声明性授权,出措??? [Re:neweagle]
BlurEyes





发贴: 121
积分: 50
于 2003-09-01 20:48 user profilesend a private message to usersend email to BlurEyessearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
看了一下,没看到auth.conf文件,只看到了policy文件。
请问JAASExample这个jaas Configuration在哪里定义的?(一般直接从javax.security.auth.login.Configuration继承,或者定义在auth.conf文件中。用来指定jaas的loginmodule)。
另外UsernamePasswordCallbackHandler的构造函数会一般会传人一个username,一个password。
没看到loginmodule的代码,不太好看出问题。


作者 Re:在web上jaas的声明性授权,出措??? [Re:neweagle]
neweagle



发贴: 0
积分: 0
于 2003-09-01 21:18 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
有两个configuration文件:jaas.policy和login.config
这两个文件我都是放在源码同级目录下面的,只是在jdk里面java.sercurity指定了这两个文件的位置
请问jeez : jaas.policy一定要放在jdk里面吗?里面指定位置不行吗
而且在web上声明授权是不是必须用相对路径才行??
谢谢关注
最近好忙 又停了一段时间jaas 多交流


作者 Re:在web上jaas的声明性授权,出措??? [Re:neweagle]
jeez



发贴: 0
积分: 0
于 2003-09-02 10:44 user profilesend a private message to usersearch all posts byselect and copy to clipboard. ie only, sorry for netscape users:-)add this post to my favorite list
web上是要用相对路径的。jaas的policy不必要和JDK在一起,只要配置的时候能找到就行了。

我以前用过jaas,但这部分代码是抄过来的,tomcat或是JBoss的源码中有,配置文件的相对路径可以通过servlet的参数传给servlet,然后在servlet中自己获得配置文件,然后做安全的配置,但具体步骤我不太清楚了,很抱歉你得自己查些资料了。



flat modethreaded modego to previous topicgo to next topicgo to back
  已读帖子
  新的帖子
  被删除的帖子
Jump to the top of page

   Powered by Jute Powerful Forum® Version Jute 1.5.6 Ent
Copyright © 2002-2021 Cjsdn Team. All Righits Reserved. 闽ICP备05005120号-1
客服电话 18559299278    客服信箱 714923@qq.com    客服QQ 714923