Access denied in JAAS authorisation

Question

I am designing a JAAS authentication and authorisation application.In the authentication part,the username and password entered by the user is matched against the values retrieved from the database.There are three principals for each user(username,password,position).Upon successful authentication the principals are added to the subject.This part is working fine.

The problem lies in the authorisation part(when I set the SecurityManager),where depending upon the position (either manager or employee) permissions are granted.

The policy file is

grant codebase "/home/esamsar/NetBeansProjects/JAAS/*"
{
permission javax.security.auth.AuthPermission "createLoginContext.Sample";
permission javax.security.auth.AuthPermission "doAsPrivileged";
}


grant   Principal PositionPrincipal "manager" 
{

   permission java.util.PropertyPermission "java.home", "read";
   permission java.util.PropertyPermission "user.home", "read,write";
   permission java.io.FilePermission "topsecurity.txt", "read";

};

grant   Principal PositionPrincipal "employee" 
{

   permission java.util.PropertyPermission "java.home", "read";
   permission java.util.PropertyPermission "user.home", "read,write";

};

Upon adding the following lines of code I encounter "Cannot create LoginContext. access denied ("java.util.PropertyPermission" "java.security.auth.login.config" "write")"

 System.setSecurityManager(new SecurityManager());
 System.setProperty("java.security.auth.login.config", configFile);
 System.setProperty( "java.security.policy", policyFile );

configFile and policyFile are the jaas configuration file and policy file respectively. What could I add to my policy file to resolve the problem.Thank in advance.

when I set the security manager at last after setting the system property I encounter a different error "Cannot create LoginContext. access denied ("java.util.PropertyPermission" "user.dir" "read")" System.setProperty("java.security.auth.login.config", path); System.setProperty( "java.security.policy", policy ); System.setSecurityManager(new SecurityManager()); — Sameer Sarmah, Mar 05 '14 at 08:19
I have granted a few more permission in the policy file and now there are no errors.I am using JDBC to database connectivity.I have not granted SQLPermission yet.The code connecting the application to the database are skipped silently without any SecurityException. — Sameer Sarmah, Mar 05 '14 at 11:03

score 0 · Answer 1 · answered Feb 16 '17 at 22:51

you need first write:

System.setProperty("java.security.auth.login.config", configFile);
System.setProperty( "java.security.policy", policyFile );

And only then:

System.setSecurityManager(new SecurityManager());

But this is might be not only problem. I had the same problem, and I fixed it. I've working example, but with unix auth. Here it is: Main class:

public class UserAuthLesson {
public static void main(String[] args) {
    try
    {
        System.setProperty("java.security.policy", "src/MyApp.policy");
        System.setProperty("java.security.auth.login.config", "src/jaas.config");
        System.setSecurityManager(new SecurityManager());
        LoginContext context = new LoginContext("Login1"); // defined in JAAS configuration file
        context.login();
        Subject subject = context.getSubject();
        context.logout();
    }
    catch (LoginException exception) // thrown if login was not successful
    {
        exception.printStackTrace();
    }
}
}

Policy file:

grant{
permission javax.security.auth.AuthPermission "createLoginContext.Login1";
permission javax.security.auth.AuthPermission "doAsPrivileged";
};
grant principal com.sun.security.auth.UnixPrincipal "max" {
permission java.util.PropertyPermission "user.*", "read";
};

Jaas file:

Login1 {
com.sun.security.auth.module.UnixLoginModule required;
};

Access denied in JAAS authorisation

1 Answers1