Implementation
Because there exists default values for JAAS providers and policy files, users need not statically (in the java.security file) nor dynamically (command line -D option) list their values in order to implement JAAS. Also, the default configuration and policy file providers may be replaced by a user-developed provider. Therefore this section is an attempt to explain the JAAS default providers and policy files as well as the properties that enable alternative providers.
If desirable, read the Default Policy File API and Default Configuration File API for more information than is summarized here.
Authentication Provider
The authentication
provider, or configuration class, is statically set with login.configuration.provider=[class] in
the java.security file. This provider creates the Configuration object.
For example:
login.configuration.provider=com.foo.ConfigIf the Security property login.configuration.provider is not found in java.security, then JAAS will set it to the default value: com.ibm.security.auth.login.ConfigFile
If a security manager is set before the Configuration is created, then an AuthPermission("getLoginConfiguration") will be required to be granted.
There isn't a way to dynamically set the configuration provider on the command line.
Authentication Configuration File
The authentication
configuration files may be statically set in java.security with login.config.url.n=[URL],
where n is a consecutively number integer starting
with 1. The format is identical to the format for Java™ security policy files (policy.url.n=[URL]).
If the Security property policy.allowSystemProperty is set to "true" in java.security, then users can dynamically set policy files on the command line utilizing the -D option with this property: java.security.auth.login.config. The value may be a path or URL. For example,
- (Unix):
... -Djava.security.auth.login.config=/usr/config_policy/login.config ... or ... -Djava.security.auth.login.config=file:/usr/config_policy/login.config ...- (Windows):
... -Djava.security.auth.login.config=c:\config_policy\login.config ... or ... -Djava.security.auth.login.config=file:c:/config_policy/login.config ...
==)
on the command line allows a user to override all other policy files
found. If no configuration files can be found statically or dynamically, JAAS will try to load the configuration file from this default location: ${user.home}/.java.login.config where ${user.home} is a system dependent location.
Authorization Provider
The authorization provider, or JAAS Policy class, is statically set with auth.policy.provider=[class] in the java.security file. This provider creates the JAAS Subject-based Policy object.
For example:
auth.policy.provider=com.foo.PolicyIf a security manager is set before the Configuration is created, then an AuthPermission("getPolicy") will be required to be granted.
There isn't a way to dynamically set the authorization provider on the command line.
Authorization Policy File
The authorization
policy files may be statically set in java.security with auth.policy.url.n=[URL],
where n is a consecutively number integer starting
with 1. The format is identical to the format for Java security policy files (policy.url.n=[URL]).
If the Security property policy.allowSystemProperty is set to "true" in java.security, then users can dynamically set policy files on the command line utilizing the -D option with this property: java.security.auth.policy. The value may be a path or URL. For example,
- (Unix):
... -Djava.security.auth.policy=/usr/auth_policy/java.auth.policy ... or ... -Djava.security.auth.policy=file:/usr/auth_policy/java.auth.policy ...- (Windows)
... -Djava.security.auth.policy=c:\auth_policy\java.auth.policy ... or ... -Djava.security.auth.policy=file:c:/auth_policy/java.auth.policy ...
There is not a default location to load an authorization policy from.