Integrate Java web service with Unix security

Question

I am hosting a Java web service on a AIX unix box using JBoss.

Some of the web methods browse the unix file structure (IE GetDirectoryFiles returns all files for the directory path passed in).

I want to integrate this with the unix security so that the caller would pass in a username/password at the session level and they would be limited to what files/directories they have access to based on that username/password integrated with the server users.

For instance, if the server has a user with their home directory set to /home/me and are unable to browse out of their home directory, the web service would only allow the same with regards to the method calls. They could call '/home/me/dir' but not '/home/notme/dir' (would throw an access denied exception).

How would I go about doing this?

Note that a naive implementation would allow full speed brute force dictionary attack on the server. — Thorbjørn Ravn Andersen, Jan 14 '14 at 21:29

score 0 · Accepted Answer · edited May 23 '17 at 12:19

0

The issue you are going to have is that the JBoss process is already running as a specific user, and therefore anything done by a thread within that process will run under that user's permissions.

The simplest approach, I believe, would be to launch a new process as a different user to complete the unix part of each of your web methods, using Runtime.getRuntime().exec(...) - see this question

edited May 23 '17 at 12:19

Community

1
1

answered Jul 20 '10 at 15:18

mikera

105,238
25
256
415

The solution doesn't really work in my case, but the answer does lay out the problem. – Kenoyer130 Jul 24 '10 at 18:09

Integrate Java web service with Unix security

1 Answers1