The Java 2 platform provides a means to enforce access controls based on where code came from and who signed it. These access controls are needed because of the distributed nature of the Java platform where, for example, a remote applet can be downloaded over a public network and then run locally.
However, the Java 2 platform does not provide a way to enforce similar access controls based on who runs the code. To provide this type of access control, the Java 2 security architecture requires the following:
- Additional support for authentication (determining who is actually running the code)
- Extensions to the existing authorization components to enforce new access controls based on who was authenticated
The Java Authentication and Authorization Service (JAAS) framework provides these enhancements.
For a general overview of JAAS, see the
Sun JAAS Web site.
To download a copy of the documentation for the JAAS, download the
jaasdocs.jar file
The
jaasdocs.jar files contain the following documents:
To extract the documentation from the downloaded .jar file, place the .jar file at the directory location where you would like the documentation (for instance the
${java-home}/docs/jaasDocs) and issue the following command:
jar -xvf jaasdocs.jar
Note that the
jaasdocs.jar file is actually a Java Archive (.jar) file that contains documentation only and no executable code. The
jar command above will work whether the file type is .tar or .jar.
Sun provides a version of JAAS, although it does not apply directly to OS/390 or z/OS. The IBM version of JAAS for OS/390 differs from the Sun version in the following ways:
- The com.sun.* packages have been moved to com.ibm.* packages.
- The OS390LoginModule in the IBM version of JAAS provides a default login module supporting basic authentication with the OS/390 Security Services, SAF (RACF).
- The SAFPermission class in IBM's JAAS provides authorization checking for resources protected by OS/390 Security Services, SAF (RACF).
- In IBM's JAAS, ThreadSubject.doAs provides a default implementation of ThreadSubject.
There is a statement you must add to use IBM's version of JAAS, see the section on
Using JAAS.
The
jaasdocs.jar file is located in the
${java-home}/lib/ext directory.
In order to use JAAS, you must do the following:
IBM's JAAS provides samples for the OS/390 platform. These samples are contained in the
${java-home}/demo/jaas/samples390.jar file. This jar file contains two directories called
Standard and
SAF.
The samples include the standard sample talked about in
The IBM JAAS Developer's Guide. There is also a configuration file for use with the standard sample and a sample that uses the SAF Permission.
These samples require that JAAS is installed and SAF (RACF) is configured correctly.
Standard sample
The samples390.jar file contains a
Standard directory where you'll find the example discussed in the
The IBM JAAS Developer's Guide in the section called "Hello World", JAAS style!". There are two added files in the
Standard directory:
- helloOS390.config
- helloOS390.bat
If you run the helloOS390.bat sample program instead of the normal hello.bat, Java will use the OS/390 login and OS/390 User principal modules instead of HWLoginModule and HWPrincipal. These modules will prompt the user for a valid SAF(RACF) userid and password. The program validates these and builds a OS/390 user principal for the authenticated user.
SAF permission sample
The SAF permission sample works in much the same way as the standard sample. However, the SAF permission sample uses the OS/390 login module exclusively.
After the user's userid and password are authenticated, the program performs a Subject.doAs on the SAF1 class. The SAF1 class checks for UPDATE authority for class FACILITY, profile BPX.SERVER with the userid associated with the OS390 user principal. This class then reports back if this authority exists or not.
To use JAAS, you must have SAF Service provider installed and configured (RACF or another).
| 
