JAAS and UNIX

Hi,

has anyone managed to login into a UNIX system as another principal than
the user that runs the application using JAAS?
The JNDI-Module returns the corect subject, but when I do a
Subject.doAs(subject, action)
the user that runs the action remains the user who has started the
application. E.g. reading a file that is only readable by the
suthenticated user results in a
java.io.FileNotFoundException
instead of a
java.security.AccessControlException
and the "java.home" property still points to the home directory of the
application runner.

Does the runner of the application have to be root?
Am I missing something?

Regards
JK.

JK <nobody@nowhere.org> wrote:
> Okay, it seems I got it all wrong:
>
> You can't really do something "on behalf of another user" with JAAS.
> Even though you call Subject.doAs with an authenticated Subject, the
> code is still executed in the system environment of the application's owner.[/colo
r]

Of course: Java security is separate from OS security.

The OS won't allow a program to execute (code) as a different user, unless
it executes as a superuser, or it authenticates itself using the operating
system.

JAAS is used to authenticate a user to your Java code. It does not
authenticate a program to the OS.


> Given that and the fact that the applications policy must be a subset of
>  the user specific jaas policy makes JAAS quite a weak tool for
> authorisation.

It doesn't. JAAS just isn't suited for every kind of authorization. There
is a difference between the user running the program (determining the
rights a program has), and the user using a program. This distinction is
nescessary to create servers.


Oscar

--
Oscar Kind                                    http://home.hccnet.nl/okind/
Java/J2EE Developer                             email available on website

Hi 
owner.
>
> Of course: Java security is separate from OS security.
>
> The OS won't allow a program to execute (code) as a different user, unless
> it executes as a superuser, or it authenticates itself using the operating
> system.
>
> JAAS is used to authenticate a user to your Java code. It does not
> authenticate a program to the OS.
>
> 
>
> It doesn't. JAAS just isn't suited for every kind of authorization. There
> is a difference between the user running the program (determining the
> rights a program has), and the user using a program. This distinction is
> nescessary to create servers.
>
It depends what kind of servers you want. JAAS is adequate for most often
used scenario
when you have "internet" users not known to host OS. The problem which JK
(and I) need to
solve is authorization for known users. (like ftp, telnet and many other
servers on UNIX do).
On UNIX, it is solved with fork()/setuid() and there's no natural equivalent
in java for that.
That makes java more secure, but cuts us of the possibly rich OS
authorization framework.
For example one have to use sql database (or XML files/database as in XACL)
to keep authorization
data even when it is natural to use OS users' database.

---
Boris

JK have you managed to solve your problem and authenticate the user in
Unix.  Boris, do you have any ideas on how to do this?  I'm attempting to
do the same thing without any luck.