2 Replies Latest reply on Oct 20, 2003 11:58 AM by hakanberlin

Using JAAS for authorization

joemilora Jun 20, 2003 4:18 PM

Hi all,

I'm attempting to use JAAS for authorization, but with
no luck so far.

The JAAS authentication works fine, and I'm placing
the authenticated subject in a session to use
with my struts based application. Unfortunately, I receive a permission failure on every permission
check.

I've tested my authorization code outside the container, so I'm fairly sure it works. I've updated the
security policy, changing the AllPermission to the needed individual permissions. (the log produced
from java.security.debug="access failure" seems
to indicate it's my authorization permission that's causing the failure)

I guess I'm wondering if there is something I'm unaware of that is preventing me from using JAAS
authorization from within JBoss.

Can I add principal based permissions in the server.policy? If so, is there anything else I need to
do to enable principal based security?

Thanks in advance,
Joe Milora

1. Re: Using JAAS for authorization

joemilora Jun 23, 2003 4:14 PM (in response to joemilora)

Woops, my mistake. I forgot to modify run.bat
to point to the policy file and use a security manager.

After about forty or fifty changes to the policy file,
using JAAS for authorization works fine.
Actions
2. Re: Using JAAS for authorization

hakanberlin Oct 20, 2003 11:58 AM (in response to joemilora)

Hello

You wrote, that it works.

Could you perhaps tell what is that, that's working?

Principal-based authorization?????

I thought this is impossible, because J2EE defines role based authorization. you define roles and assign ejb method permissions to those roles.
(Assignment of roles to EJB methods)

You mean you have achieved principal based authorization in j2ee??? how????
Actions

Go to original post