[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: UnixLoginModule question

Subject: Re: UnixLoginModule question
From: Michael Hall <email@hidden>
Date: Wed, 22 Mar 2006 06:56:05 -0600
Delivered-to: email@hidden
Delivered-to: email@hidden


On Mar 21, 2006, at 5:22 PM, Dmitry Markman wrote:

I'm not I sure I got it right but I think problem with jaas that we can not elevate privileges of the java process where we working but we can run the external process with any given privileges besides I don't like all of that mess with configuration files so if I can avoid it, using very clear AuthKit approach I'd rather do it

The configuration stuff is part of JAAS like the elevated privilege mechanism is part of authkit. You can't get away from all of it, although maybe you can get away from some of it. I was able to eliminate the JAAS policy file since the authorized action was done as a side-effect as Greg called it to successful login. There is no need for the privileged action doAs on return associated with a special JAAS security policy. For JNLP you might be able to skip the - Djava.security.manager property and providing a AllPermission or other normal java security policy as my understanding is that Java Web Start does these for you? Possibly wrong guess there as well. You would definitely still need the - Djava.security.auth.login.config=login.conf just as on OS/X you would definitely need Greg's - Dauthkit.imp=glguerin.authkit.imp.macosx.MacOSXAuthorization authkit property. At least my testing seemed to show that necessary. Possibly somewhere there is an os.name or other property check that eliminates it's need?

But anyhow, you don't like the setup. Greg, doesn't like the AuthKit mesh so neither of you will probably be using it. I was just happy it worked as intended possibly providing some indication that my difficulties with the UnixLoginModule weren't my failing to set it up correctly. Although not complete proof that I was setup correctly there. My intention if I ever get back to that code is still to use something more like SSH anyhow, this didn't change my mind on that either.

So as no one wants to use it I'll probably just delete it when I do some future cleanup.


Mike Hall        mikehall at spacestar dot net
http://www.spacestar.net/users/mikehall
http://sourceforge.net/projects/macnative

Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden

This email sent to email@hidden

References:
	>Re: UnixLoginModule question (From: Greg Guerin <email@hidden>)
	>Re: UnixLoginModule question (From: Michael Hall <email@hidden>)
	>Re: UnixLoginModule question (From: Dmitry Markman <email@hidden>)

Prev by Date: Re: UnixLoginModule question
Next by Date: Re: Issues with Extended Characters using Files and Runtime.exec (especially in 1.5)
Previous by thread: Re: UnixLoginModule question
Next by thread: Re: UnixLoginModule question
Index(es):
- Date
- Thread

Home