User authentication and authorization in the Java/sup TM/ platform

Java/sup TM/ security technology originally focused on creating a safe environment in which to run potentially untrusted code downloaded from the public network. With the latest release of the Java/sup TM/ platform (the Java/sup TM/ 2 Software Development Kit, v 1.2), fine-grained access controls can be placed upon critical resources with regard to the identity of the running applets and applications, which are distinguished by where the code came from and who signed it. However, the Java platform still lacks the means to enforce access controls based on the identity of the user who runs the code. In this paper we describe the design and implementation of the Java/sup TM/ Authentication and Authorization Service (JAAS), a framework and programming interface that augments the Java/sup TM/ platform with both user-based authentication and access control capabilities.

[1]  Joan Feigenbaum,et al.  KeyNote: Trust Management for Public-Key Infrastructures (Position Paper) , 1998, Security Protocols Workshop.

[2]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[3]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[4]  Luigi Giuri Role-based access control in Java , 1998, RBAC '98.

[5]  L. Gong,et al.  Experience with secure multi-processing in Java , 1998, Proceedings. 18th International Conference on Distributed Computing Systems (Cat. No.98CB36183).

[6]  Vipin Samar,et al.  Making login services independent from authentication technologies , 1995 .

[7]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[8]  Angelos D. Keromytis,et al.  Key note: Trust management for public-key infrastructures , 1999 .

[9]  John G. Myers Simple Authentication and Security Layer (SASL) , 1997, RFC.

[10]  Martín Abadi,et al.  Authentication in distributed systems: theory and practice , 1991, SOSP '91.

[11]  Hemma Prafullchandra,et al.  Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 , 1997, USENIX Symposium on Internet Technologies and Systems.

[12]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[13]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[14]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[15]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[16]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[17]  John Linn,et al.  Generic Security Service Application Program Interface, Version 2 , 1997, RFC.

[18]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[19]  Tatyana Ryutov,et al.  Access Control Framework for Distributed Applications , 2000 .