JAAS Authorization Framework
Goal
The purpose of this laboratory exercise is threefold: to extend the
understanding of the Java Authentication and Authorization Service
(JAAS), to provide hands on experience with the specification and
enforcement of authorization policies using JAAS and to provide an
experimental framework for discussing access control
policies. Students are assumed to have completed the JAAS
authentication lab.
Access Control Scenario
Consider the scenario of a print server installed in a small company. The print server supports the following operations:
print(String filename, String printer); // prints file filename on the specified printer
queue(); // lists the print queue on the user's display in lines of the form <job number> <file name>
topQueue(int job); // moves job to the top of the queue
start(); // starts the print server
stop(); // stops the print server
restart(); // stops the print server, clears the print queue and starts the print server again
status(); // prints status of printer on the user's display
readConfig(String parameter); // prints the value of the parameter on the user's display
setConfig(String parameter, String value); // sets the parameter to value
Not everybody working in the company has the same rights to access
the print server. Alice is managing the print server, so she has the
rights to perform all operations. Bob is the janitor who
doubles as service technician, he has the rights to start,
stop and restart the print server as well as inspect and
modify the service parameters, i.e., invoke the status,
readConfig and setConfig operations. Cecilia is a power
user, who is allowed to print files and manage the print
queue, i.e., use queue and topQueue as well as
restart the print server when everything seems to be
stuck. Finally, David and Erica are ordinary users who are only
allowed to print files and display the print
queue.
Tasks
This lab is based on the JAAS
Authorization Tutorial from Oracle and a research
paper describing User
Authentication and Authorization in the Java Platform.
The first task is to read through the tutorial and get a general idea
of the architecture of the JAAS authorization framework.
The second task is to follow the steps in this tutorial to download,
configure and run the sample code. At the end of this step you should
have a running program that will authenticate the principal
testUser with the password hard-coded into the Login Module and print the values of the system variables java.home and user.home along with a statement as to whether or not you have a file named foo.txt in the current directory.
The third task is to make a rudimentary implementation of a print server that supports the operations defined in the access control scenario above. It is not necessary to implement the functional requirements of the operations, it is enough that each method displays the name of the method and the principal who invoked it. You should make sure that the methods in the print server can be invoked through the code developed in this lab in the same way that the method in the SampleAction.class is invoked in the JAAS
Authorization Tutorial (hint: one way to achieve this is to implement each print server operation in a separate class that then invokes the relevant method in the print server).
The fourth task is to define the necessary configuration
files to simulate the access control scenario described above. This
includes creation of the necessary users in your password file and
definition of a policy file that enforces the policy defined in the
access control scenario.
The fifth and final task is to examine how the access control policy
defined above may be specified using Role Based Access
Control (RBAC) and discuss how this RBAC based policy can be
supported using JAAS (it is not required to implement this solution).
Documentation
This lab is a mandatory part of the course, which means that you have
to hand in a small report, which will be evaluated and counts toward
your final grade. It is not necessary to document the first two tasks
if they have been completed successfully, so the report should focus on the documentation of the final three tasks as outlined below.
- Task 3: the report must present the design and
implementation of the rudimentary print server.
- Task 4; the report must explain how the access
control policy is enforced by the implementation and
configuration of the code developed in this lab. Part of this
task is also to demonstrate that the developed access control
mechanism works, e.g., by printing the name of the principal
before each invocation of the print server, which then prints
the name of the method and the invoking principal.
- Task 5; the discussion of RBAC must
explain the role hierarchy necessary to enforce the defined
policy. It should also discuss how to enforce RBAC using the
JAAS framework and explain the necessary configuration files
needed to support this implementation. Finally, based on the
two access control technologies examined in this lab, compare
and discuss the respective merits of ACL based access control
and RBAC with respect to policy specification and enforcement
implementation (you may consider what parts of policies and
frameworks can be re-used when the policies and software systems
evolve.
The laboratory work will be individually assessed (i.e., you must
each hand in your own individual report), but you are of course
allowed to discuss this assignment with the other students in the
course. Please indicate the name and student number of any student with
whom you have had extensive discussions about the report in the
Introduction. The full report should be limited to a maximum of 10
pages, excluding the source code. NOTE: You should
not include all source files in the report, only the new
files and files that have been modified.
The laboratory work should be conducted on the following Wednesdays:
16 November and 23 November. The lab must be documented by
a short report as described above. The report should be handed in
electronically, using Campusnet, before 15.00 on Wednesday 30 November.
Useful Links
Christian Damsgaard Jensen
Christian.Jensen@imm.dtu.dk
Last modified 14 November 2011.