To make JAAS authorization take place, granting access control permissions based not just on what code is running but also on who is running it, the following is required:
- The user must be authenticated, as described in the Login Context section.
- The Subject that is the result of authentication must be associated with an access control context, as described in the Subject section.
- Principal-based entries must be configured in the security policy, as described in the following section.
The Policy abstract class and the authorization-specific classes AuthPermission and PrivateCredentialPermission are described in the following sections.