[GAJSS] JAAS & Java Platform Security

More Stuart Halloway, now talking about Java Security (slides here. [Incidentally, Roller definitely needs a draft autosave feature. On a spotty network, this is KILLING me that any given draft save can kill my entry. Resorting to a copy of my entry before saving a draft is a cheap workaround.]

We start off with a look at the typical java platform security stuff, the java.policy file and such. I’ve never had much use for this in my work, so the move along to JAAS is a welcome one.
A good explanation is that a Subject in JAAS is a container, and a Principal is a set of roles, identities, and whatever else associated with that Subject. This is helpful for me, since I’ve always found those words unintuitive and confusing. The Principal class is nothing short of useless. The fact that Java continues to pump out specifications that are so dependent on vendor extensions to do anything useful is insulting and counter-productive to everyone but the vendors who depend on it as an obstruction to portability. [Just survived ANOTHER JRoller choke thanks to cut and paste.]

He also points out a nice permissions sniffer for making the trial-and-error process of figuring out which permissions your authenticated user (Subject) is requesting that it doesn’t have, and adding them to java.policy.

It’s been interesting, but perhaps hits java at a lower level of abstraction than I’m used to. I do mostly web apps, so my perspective is largely on the level of users and roles that are exposed in a webapp, and the permissions that are exposed in that relationship. The closest I get to worrying about JAAS implementation details is selecting which login module I want the app server to use. I don’t deal in permissions very often. This beef is probably more about my selection of this session than Stuart’s presentation of it.