Java Authentication and Authorization Service authorization

Java 2 security architecture uses a security policy to specify which access rights are granted to running code. This architecture is code-centric. That is, the permissions are granted based on code characteristics including where the code is coming from, whether it is digitally signed, and by whom. Authorization of the Java Authentication and Authorization Service (JAAS) augments the existing code-centric access controls with new user-centric access controls. Permissions are granted based on what code is running and who is running it.

When using JAAS authentication to authenticate a user, a subject is created to represent the authenticated user. A subject is comprised of a set of principals, where each principal represents an identity for that user. You can grant permissions in the policy to specific principals. After the user is authenticated, the application can associate the subject with the current access control context. For each subsequent security-checked operation, the Java run time automatically determines whether the policy grants the required permission to a specific principal only. If so, the operation is supported if the subject associated with the access control context contains the designated principal only.

Associate a subject with the current access control context by calling the static doAs method from the subject class, passing it an authenticated subject and java.security.PrivilegedAction or java.security.PrivilegedExceptionAction. The doAs method associates the provided subject with the current access control context and then invokes the run method from the action. The run method implementation contains all the code that ran as the specified subject. The action runs as the specified subject.

In the Java 2 Platform, Enterprise Edition (J2EE) programming model, when invoking the EJB method from an enterprise bean or servlet, the method runs under the user identity that is determined by the run-as setting. The J2EE V1.3 Specification does not indicate which user identity to use when invoking an enterprise bean from a Subject.doAs action block within either the EJB code or the servlet code. A logical extension is to use the proper identity specified in the subject when invoking the EJB method within the Subject doAs action block.

This simple rule of letting Subject.doAs overwrite the run-as identity setting is an ideal way to integrate the JAAS programming model with the J2EE run-time environment. However, a general JAAS design oversight was introduced into IBM Developer Kit, Java Technology Edition V1.3 when integrating the JAAS V1.0 implementation with the Java 2 security architecture. A subject, which is associated with the access control context is cut off by a doPrivileged call when a doPrivileged call occurs within the Subject.doAs action block. Until this problem is corrected, no reliable and run-time efficient way is available to guarantee the correct behavior of Subject.doAs in a J2EE run-time environment.

The problem can be explained better with the following example:

Subject.doAs(subject, new java.security.PrivilegedAction() {
	  Public Object run() {
	      // Subject is associated with the current thread context
	      java.security.AccessController.doPrivileged( new 
	          java.security.PrivilegedAction() {
                         public Object run() {
                         // Subject was cut off from the current 
                         // thread context
		 return null;
	             }
	       });
	       // Subject is associated with the current thread context
	       return null;
	  }
});
At line three, the subject object is associated with the context of the current thread. As indicated on line 7 within the run method of a doPrivileged action block, the subject object is removed from the thread context. After leaving the doPrivileged block, the subject object is restored to the current thread context. Because doPrivileged blocks can be placed anywhere along the running path and instrumented quite often in a server environment, the run-time behavior of a doAs action block becomes difficult to manage.

The credential is used by the Security Authentication Service (SAS) run time for EJB invocation.

The WSSubject.doAs and WSSubject.doAsPrivileged methods then invoke the corresponding Subject.doAs and Subject.doAsPrivileged methods. The original credential is restored and associated with the running thread upon leaving the WSSubject.doAs and WSSubject.doAsPrivileged methods.

[V5.1 and later]To resolve this difficulty, WebSphere Application Server provides a WSSubject helper class to extend the JAAS authorization to a J2EE EJB method invocation as described previously. The WSSubject class provides static doAs and doAsPrivileged methods that have identical signatures to the subject class. The WSSubject.doAs method associates the Subject to the currently running thread.

The credential is used by the Security Authentication Service (SAS) run time for EJB invocation.

The WSSubject.doAs and WSSubject.doAsPrivileged methods then invoke the corresponding Subject.doAs and Subject.doAsPrivileged methods. The original credential is restored and associated with the running thread upon leaving the WSSubject.doAs and WSSubject.doAsPrivileged methods.

Note that the WSSubject class is not a replacement of the subject object, but rather a helper class to ensure consistent run-time behavior as long as an EJB method invocation is a concern.

The following example illustrates the run-time behavior of the WSSubject.doAs method:

WSSubject.doAs(subject, new java.security.PrivilegedAction() {
	  Public Object run() {
	      // Subject is associated with the current thread context
	      java.security.AccessController.doPrivileged( new 
	          java.security.PrivilegedAction() {
                      public Object run() {
                         // Subject was cut off from the current thread 
                         // context.
		 return null;
	             }
	       });
	       // Subject is associated with the current thread context
         //  and its CORBA credentials are still associated with SAS thread 
         //  local storage

	  return null;
	  }
});

WSSubject.doAs(subject, new java.security.PrivilegedAction() {
	  Public Object run() {
	      // Subject is associated with the current thread context
	      java.security.AccessController.doPrivileged( new 
	          java.security.PrivilegedAction() {
                      public Object run() {
                         // Subject was cut off from the current thread 
                         // context.
		 return null;
	             }
	       });
	       // Subject is associated with the current thread context
	  return null;
	  }
});
The Subject.doAs and Subject.doAsPrivileged methods are not integrated with the J2EE run-time environment. EJB methods that are invoked within the Subject.doAs and Subject.doAsPrivileged action blocks run under the identity specified by the run-as setting and not by the subject identity.

Refer to Java 2 Connector security for more information