On Mar 18, 2006, at 7:31 AM, Dmitry Markman wrote:
Hi
as I discovered, that
UnixLoginModule uses information related to current user
and it can not be used for admin authentication, is it correct?
is it true that there is no pure Java way to run admin access
required application?
so I have to create jnilib (that will use Security.framework) for
dealing with that
(I'd like to create small rxtx installer for mac os x, so user
will be able to use it from the webstart)
maybe somebody knows about open-source solutions?
You could I believe write your own login module maybe using your or
other jni code. I believe it was indicated as possible in "Java
Security" - Oaks, O'Reilly
For the exercise I made an attempt at this, writing a JAAS login
module based on Greg Guerin's AuthKit. http://www.spacestar.net/users/mikehall/authkit.dmg
Mac OS specific authorization of interest, so Mac specific dmg again
used. A nice way to distribute Mac stuff.
It includes the entire distribution of Greg's AuthKit that I had plus
my changes. No real acknowledgment of Greg's artistic license but I
currently don't plan on distributing this unless some interest is
shown, it was, again, for the exercise.
Additions would be
Source/glguerin/authkit/jaas/AuthKitLoginModule.java and
AuthKitPrincipal.java
Source/app/authkit/test/TestJAAS.java
Contents of the bin directory, testjaas what should be run to test it.
Brief observations, simple login acquiring admin authorization
doesn't give you everything you need. Runtime exec doesn't
subsequently run as authorized. Greg includes a execPrivileged sort
of equivalent method. I added a authkit.action property that allows
you to specify a command to be run authorized at the same time you
login/authorize. Not quite straight JAAS but not too major a
divergence either.
I thought maybe you would be able to subsequently do stuff like
create low number port server sockets from the current admin
authorized process but that did not work either. Maybe Greg would
know why that is if you wanted something like that other than admin
exec'ing stuff.
No supported options for logging in as other than the current user in
what I did, but probably possible.
Anyone can do what they want with it, Greg included of course. If
anyone would like to see it made available I could add a link for it
somewhere.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden
This email sent to email@hidden
