JAAS Authorization Checks

IBM JGSS performs runtime authorization checks on the use of credentials and access to services. Just like the login feature, this JAAS feature is optional and can be disabled by setting the Java™ property javax.security.auth.useSubjectCredsOnly to false. Moreover, the application must be running with a security manager for the authorization checks to be performed.

Authorization checks are made against the authorization policy that is in effect for the current access control context. When using the default policy implementation, JAAS permissions are accorded entities by recording such permissions in a policy file. The specific checks performed by JGSS are javax.security.auth.kerberos.DelegationPermission and javax.security.auth.kerberos.ServicePermission checks.

The DelegationPermission checks restrict the use of delegated credentials. In particular, a principal that is delegating its TGT must have been granted a DelegationPermission that specifies the receiving service and the backend service with which the receiver will be communicating using the delegated TGT. For example, in order for the principal foo@SECURITYCENTRAL.TIVOLI.COM to delegate its TGT for use by the principal superSecureServer/securityCentral.tivoli.com@SECURITYCENTRAL.TIVOLI.COM">superSecureServer/securityCentral.tivoli.com@SECURITYCENTRAL.TIVOLI.COM and for it to acquire a service ticket from the Ticket-Granting Service (TGS) on behalf of foo, the JAAS policy applicable to foo must grant foo a DelegationPermission that specifies superSecureServer and the TGS. The file-based policy for foo will be like the following one.

grantcodeBase "file:./fooJgssClient.jar", 

Principal javax.security.auth.kerberos.KerberosPrincipal "foo@SECURITYCENTRAL.TIVOLI.COM" {

// 1. Authorize foo to delegate its TGT to superSecureServer

permission javax.security.auth.kerberos.DelegationPermission

"\"superSecureServer/securityCentral.tivoli.com@SECURITYCENTRAL.TIVOLI.COM\"

\"krbtgt/SECURITYCENTRAL.TIVOLI.COM@SECURITYCENTRAL.TIVOLI.COM\"";

// 2. Authorize foo to acquire a TGT from its KDC

permission javax.security.auth.kerberos.ServicePermission

"krbtgt/SECURITYCENTRAL.TIVOLI.COM@SECURITYCENTRAL.TIVOLI.COM", "initiate";

// 3. Grant foo permission to initiate context with superSecureServer

permission javax.security.auth.kerberos.ServicePermission

 "superSecureServer/securityCentral.tivoli.com@SECURITYCENTRAL.TIVOLI.COM", "initiate";

};

The ServicePermission checks restrict the use of credentials for context initiation and acceptance. A context initiator must have permission to initiate a context. Likewise, a context acceptor must have permission to accept a context. See foo's configuration file (shown previously) for examples.