Is JAAS the right choice for me?
I'm trying to get my head around what JAAS is and if its the right thing for me to be using for an application I'm writing. Let me describe the situation:
Its a client-server system. The client connects to the server and sends a username and password to authenticate itself. I want the server to check the username and password against the server's local accounts to check that the password is right.
Am I right in saying that JAAS will not do this and will in fact only validate the user that the server process is running as?
I there something better that I could be using?
On a slightly different note I would also like to be able to change the user that one of the threads of the server is running as. Is this possible with any pre-existing technology, or is it possible with a bit of JNI?
Mossop
[840 byte] By [
mossopa] at [2007-9-30 0:18:38]
I don't think there is a JAAS LoginModule that will authenticate against the local Windows SAM store. You may need to write your own LoginModule to achieve this.
JAAS does support username/password login but only against LDAP, Kerberos, etc stores.
Why do you want to change the thread identity? What do you expect to achieve by this? May require platform specific implementation.
Ok, maybe I should give JAAS a try then. Its a linux/unix system so I can just knock up some native code to implement a LoginModule that calls the standard PAM library
The point of changing the user that the thread is running at is to ensure that the thread cannot access any files on the server that that particular user should not have access to. Unless anyone can suggest a platform independant way of doing this, I can only think of 2 ways, both involving native code:
1. Have some native code that given a username and a filename will return what permissions the user has on the file. This would I imagine be quite a pain to write.
2. Have some native code that changes the user that the thread runs as. Then we can query files through the File interface, and what's more, bugs in the java code cannot accidentally access files that the user shouldnt be able to access.
Sadly no. My linux box uses something a bit different to most for authenticating common users. In fact the final authentication s done by a PAM module I wrote! It would be possible to write a pure java LoginModule that would work on my system, but perversely, a native interface between PAM and LoginModule would work on more systems.
Mossop
