JAAS, Securing J2EE Applications: Securing Web Components - 4. Configure the JAAS policy file
(Page 6 of 7 )
The configuration of JAAS policy is done in .policy files. Only one LoginModule is configured for the security module. The policies are set in user.policy and user_jaas.conf.
The contents are as follows:
User.policy:
/*grant the user LoginModule AllPermission i.e. give all permissions to LoginModule.*/
grant codebase “file:./user_module.jar”
{
permission java.security.AllPermission;
}
grant codebase “file:./user.jar”
{
permission javax.security.auth.AuthPermission “createLoginContext.User”;
permission javax.security.auth.AuthPermission “doAs”;
permission javax.security.util.PropertyPermission “java.home”,”read”;
permission javax.security.util.PropertyPermission “user.home”,”read”;
java.io.FilePermission “tips.html”,”read”;
}
/*Also set similar permissions for other files. They are not shown here*/
Now for some explanations. The first entry grants the relevant permissions to the userLoginModule. The userLoginModule is considered fully trusted. So it is granted all permissions. The second entry grants permission to the program itself, since the application is not fully trusted. Hence subject is authenticated first, and Subject.doAs is invoked with that subject and a userAction, which accesses the System property- java.home, user, home and the file tips.html. Now for user_jaas.conf.
user_jaas.conf:
In this provide the application name and the required parameters. Here the name is given as userend.
Userend
{
userLoginModule required debug=true
}
5. Configure the J2EE Application server
This step changes with each application server. So it is better to consult the documents provided by the vendor.
Next: Using the JAAS Module to Secure the Web Component >>
More Java Articles
More By A.P.Rajshekhar
/ 23 
