JAAS authorization
I'm trying to use JAAS to authorize (no authentication) different users to read/write a file but it even denying write permission to a specific subject won't stop the client from writing to it.
This are the security policy:
grant codebase"file:F:/libs/jaas.jar"{
permission java.security.AllPermission;
};
grant codebase"file:F:/classes/"{
permission javax.security.auth.AuthPermission"modifyPrincipals";
permission javax.security.auth.AuthPermission"doAs";
permission java.io.FilePermission"F:/source/test/disadapter/temp.txt","read, write";
};
and the jaas permission file
grant Principal test.descriptor.User"employees"{
permission java.io.FilePermission"F:/source/test/disadapter/temp.txt","read";
};
grant Principal test.descriptor.User"managers"{
permission java.io.FilePermission"F:/source/test/disadapter/temp.txt","read, write";
};
while the code is:
import java.security.Principal;
import java.security.PrivilegedAction;
import javax.security.auth.Subject;
import java.util.*;
publicclass AccessManager{
publicstaticvoid main (String[] args)throws Exception{
PrivilegedAction read =new PrivilegedAction(){
public Object run(){
//read the file
}
};
PrivilegedAction write =new PrivilegedAction(){
public Object run(){
//write the file
}
};
Subject subject =new Subject();
subject.getPrincipals().add(new User("employees"));
Subject.doAs(subject,write);
}
}
class Userimplements Principal{
private String name =null;
public User(String name){
this.name=name;
}
public String getName(){
return name;
}
publicboolean equals(Object another){
String otherName = ((Principal) another).getName();
return name.equals(otherName);
}
public String toString(){
return name;
}
}
Running the program with the following JVM parameters-Djava.security.manager -Djava.security.auth.policy=jaas.policy -Djava.security.policy=security.policy
regardless what the user is, it will always have access to that file. Any ideas?
Thanks
