Standalone Client and JAAS authentication

Discussions

EJB programming & troubleshooting: Standalone Client and JAAS authentication

  1. Standalone Client and JAAS authentication (1 messages)

    Hi all,
    I'm trying to execute a Standalone Java Client Application that uses JAAS to authenticate (Client has to connect
    to a remote Session Bean)

    When I run the client:

    java -Djava.security.manager
    -Djava.security.policy=client.policy
    -Djava.security.auth.login.config=auth.conf MyClientClass

    I get the following exception:

    Exception in thread "main" java.security.AccessControlException: access denied (
    javax.security.auth.AuthPermission createLoginContext.other)
            at java.security.AccessControlContext.checkPermission(AccessControlConte
    xt.java:270)
            at java.security.AccessController.checkPermission(AccessController.java:
    401)
            at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
            at javax.security.auth.login.LoginContext.init(LoginContext.java:157)
            at javax.security.auth.login.LoginContext.<init>(LoginContext.java:404)
            at client.gui.ProvaUser.main(ProvaUser.java:27)


    The strange thing is that I don't get the exception if I run the client in the
    directory where client.policy and auth.conf files reside.

    I thought that it was a CLASSPATH problem but even if I indicate in the
    CLASSPATH the directory where the two files reside, the problem doesn't disappear.

    Many thanks in advance
    Moreno
  2. The policy and auth.conf files are loaded using a file path, not the classpath. Therefore, the values you specify in the -Djava.security.policy and -Djava.security.auth.login.config must be the full or relative paths to these files, based on the startup directory of the application.

    The reason for this is security: if these files were loaded via the classpath, it would be too easy to substitute a "fake" policy file for the real one.