Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

JAAS NTUserPrincipal problems

4 views
Skip to first unread message

bengt b

unread,
Aug 11, 2003, 5:00:42 PM8/11/03
to
Hello everyone!

I think I have tried just about everything, but I cannot get recognized as
the NTUserPrincipal that I am logged in as.
Please, look at this program and these configuration files and tell me why I
get a access denied error message when calling
AccessController.checkPermission(new TestPermission("test")).

Thank you in advance!
/Bengt B

*** I use this commandline to run the program:
java -Djava.security.manager -Djava.security.auth.login.config==./SimpleTest
.config -Djava.security.auth.policy==./SimpleTest.principalpolicy -Djava.sec
urity.policy==./SimpleTest.policy baverman.test.jaas.SimpleTest

*** This is the SimpleTest class:
package baverman.test.jaas;

import java.security.AccessController;
import java.security.PrivilegedAction;

import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

import com.sun.security.auth.callback.TextCallbackHandler;

/**
* @author Bengt B
* @since 2003-08
*/
public class SimpleTest
{
public static void main(String[] args)
throws LoginException
{
PrivilegedAction action = new TestAction();

System.out.println("before:: " +
Subject.getSubject(AccessController.getContext()));

LoginContext lc = new LoginContext("SimpleTest", new
TextCallbackHandler());
lc.login();

Subject subject = lc.getSubject();

System.out.println("during:: " +
Subject.getSubject(AccessController.getContext()));
Subject.doAs(subject, action);
System.out.println("That was easy (not)! ");

lc.logout();
System.out.println("after:: " +
Subject.getSubject(AccessController.getContext()));

action.run();
}
}

class TestAction
implements PrivilegedAction
{
public Object run() {
System.out.println("privileged:: " +
Subject.getSubject(AccessController.getContext()));

AccessController.checkPermission(new TestPermission("test"));

return null;
}
}

*** The TestPermission.java class looks like this:
package baverman.test.jaas;

import java.security.BasicPermission;

/**
* @author Bengt B
* @since 2003-08
*/
public class TestPermission
extends BasicPermission
{
public TestPermission(String name) {
super(name);
}

public TestPermission(String name, String actions) {
super(name, actions);
}
}

*** The SimpleTest.config file looks like this::
SimpleTest {
com.sun.security.auth.module.NTLoginModule required debug=false;
};

*** The SimpleTest.policy file looks like this:
grant {
permission javax.security.auth.AuthPermission "getSubject", "read";
permission javax.security.auth.AuthPermission "createLoginContext";
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "doAsPrivileged";
};

*** The SimpleTest.principalPolicy looks like this:
grant principal com.sun.security.auth.NTUserPrincipal "myuser" {
permission baverman.test.jaas.TestPermission "test";
};

*** And finally the result I get when I run this thingy is (slightly edited
to protect the innocent):
before:: null
during:: null
privileged:: Ärende:
Principal: NTUserPrincipal: myuser
Principal: NTDomainPrincipal: <snip...>
Principal: NTSidUserPrincipal:
S-1-5-21-1275210071-1060284298-854245398-1000
Principal: NTSidPrimaryGroupPrincipal:
S-1-5-21-1275210071-1060284298-854245398-513
Principal: NTSidGroupPrincipal:
S-1-5-21-1275210071-1060284298-854245398-513
Principal: NTSidGroupPrincipal: S-1-1-0
Principal: NTSidGroupPrincipal:
S-1-5-21-1275210071-1060284298-854245398-1005
Principal: NTSidGroupPrincipal: S-1-5-32-544
Principal: NTSidGroupPrincipal: S-1-5-32-545
Principal: NTSidGroupPrincipal: S-1-5-4
Principal: NTSidGroupPrincipal: S-1-5-11
Principal: NTSidGroupPrincipal: S-1-5-5-0-50292
Principal: NTSidGroupPrincipal: S-1-2-0
Offentligt kreditiv: NTNumericCredential: 4220

java.security.AccessControlException: access denied
(baverman.test.jaas.TestPermission test)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java
:270)
at
java.security.AccessController.checkPermission(AccessController.java:401)
at baverman.test.jaas.TestAction.run(SimpleTest.java:47)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:319)
at baverman.test.jaas.SimpleTest.main(SimpleTest.java:31)
Exception in thread "main"


(Sic! It shouln't be this hard...)

rjf

unread,
Aug 12, 2003, 11:02:47 PM8/12/03
to
be...@baverman.se (bengt b) wrote in message news:<8cb201e2.03081...@posting.google.com>...

> I think I have tried just about everything, but I cannot get recognized as

I was having the same basic problem. I solved it by using
Subject.doAsPriviledged() instead of doAs(). So:

> Subject.doAs(subject, action);

becomes

Subject.doAsPriviledged(subject, action, null);

Note passing in 'null' as the access controller which makes the call
allocate a new (empy?) one. I am still not keen on why, but that is
what makes the difference in my code, and why it works and doAs()
doesn't.

I think if you make that one change, all will work for you.

rjf&

bengt b

unread,
Aug 13, 2003, 11:34:07 AM8/13/03
to
r...@theforrest.org (rjf) wrote in message news:<be5871d4.03081...@posting.google.com>...

Unforunately, I doesn't help. I still get the same access denied
exception when calling doAsPriviledged. It also does not matter if I
use null or AccessController.getContext() as the third parameter to
doAsPriviledged.
>
> rjf&

Thank you anyway!
/Bengt B

0 new messages