Authorization Classes

To make JAAS authorization take place, granting access control permissions based not just on what code is running but also on who is running it, the following is required:

  • The user must be authenticated, as described in the Login Context section.
  • The Subject that is the result of authentication must be associated with an access control context, as described in the Subject section.
  • Principal-based entries must be configured in the security policy, as described in the following section.

The Policy abstract class and the authorization-specific classes AuthPermission and PrivateCredentialPermission are described in the following sections.

Policy

The java.security.Policy class is an abstract class for representing the system-wide access control policy. The Policy API was upgraded in the J2SDK, v 1.4 to support Principal-based queries.

As a default, the J2SDK provides a file-based subclass implementation, which was upgraded to support Principal-based grant entries in policy files.

Policy files and the structure of entries within them are described in Default Policy Implementation and Policy File Syntax.

AuthPermission

The javax.security.auth.AuthPermission class encapsulates the basic permissions required for JAAS. An AuthPermission contains a name (also referred to as a "target name") but no actions list; you either have the named permission or you don't.

In addition to its inherited methods (from the java.security.Permissionclass), an AuthPermission has two public constructors:

public AuthPermission(String name);
    public AuthPermission(String name, String actions);

The first constructor creates a new AuthPermission with the specified name. The second constructor also creates a new AuthPermission object with the specified name, but has an additional actions argument which is currently unused and should be null. This constructor exists solely for the Policy object to instantiate new Permission objects. For most other code, the first constructor is appropriate.

Currently the AuthPermission object is used to guard access to the Policy, Subject, LoginContext, and Configuration objects. Please refer to the AuthPermission javadocs for the list of valid names that are supported.

Private Credential Permission

The javax.security.auth.PrivateCredentialPermission class protects access to a Subject's private credentials and provides one public constructor:

public PrivateCredentialPermission(String name, String actions);
Please refer to the PrivateCredentialPermission javadocs for more detailed information on this class.