[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug classpath/25202] javax.security.auth.login.LoginException: no confi
From: |
csm at gnu dot org |
Subject: |
[Bug classpath/25202] javax.security.auth.login.LoginException: no configured modules for |
Date: |
15 Jan 2006 00:21:01 -0000 |
------- Comment #10 from csm at gnu dot org 2006-01-15 00:21 -------
Subject: Re: javax.security.auth.login.LoginException: no configured modules
for
On Jan 14, 2006, at 3:02 PM, raif at swiftdsl dot com dot au wrote:
> On Sunday 15 January 2006 09:29, csm at gnu dot org wrote:
>> That is, code should be permitted to use JAAS, but NOT permitted to
>> read anything sensitive at the same time.
>
> the use of the Configuration (and its subclasses) is itself
> conditioned
> by security properties; e.g. the refresh() method. why then would you
> want to respect that restriction on the Configuration itself but
> bypass
> it in its implementation?
>
Those are (I believe) separate permissions; as a user of JAAS, I'd
expect if I'm granted permission to use JAAS, then I should be able
to use it, whether or not that means the *implementation* of JAAS
does something else that requires permission.
I mean, why should a programmer using the JAAS API have to care about
what goes on behind the scenes?
>> SystemProperties is just more convenient than using AccessController
>> to accomplish this; we will probably add a SecurityProperties class
>> that does the same thing.
>
> this only addresses system properties, what about the security
> properties and file reading? are you implying running (all) the
> Configuration logic as privileged code?
>
Obviously not, but running the parts that require permission -- which
the caller may not have or need -- should be.
If I might use an analogy, Jessie uses a number of Security
properties to control certain aspects of the SSL implementation's
behavior. You don't, as a user of JSSE, need permission to read ANY
security property, because you're only using that resource indirectly.
More to the point, GNU's JAAS should only require the documented
permissions that JAAS requires; that's the only way to meet the
specification.
Thanks.
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=25202
- [Bug classpath/25202] javax.security.auth.login.LoginException: no configured modules for, raif at swiftdsl dot com dot au, 2006/01/10
- [Bug classpath/25202] javax.security.auth.login.LoginException: no configured modules for, raif at swiftdsl dot com dot au, 2006/01/14
- [Bug classpath/25202] javax.security.auth.login.LoginException: no configured modules for, csm at gnu dot org, 2006/01/14
- [Bug classpath/25202] javax.security.auth.login.LoginException: no configured modules for, raif at swiftdsl dot com dot au, 2006/01/14
- [Bug classpath/25202] javax.security.auth.login.LoginException: no configured modules for, csm at gnu dot org, 2006/01/14
- [Bug classpath/25202] javax.security.auth.login.LoginException: no configured modules for, raif at swiftdsl dot com dot au, 2006/01/14
- [Bug classpath/25202] javax.security.auth.login.LoginException: no configured modules for, robilad at kaffe dot org, 2006/01/14
- [Bug classpath/25202] javax.security.auth.login.LoginException: no configured modules for,
csm at gnu dot org <=
- [Bug classpath/25202] javax.security.auth.login.LoginException: no configured modules for, raif at swiftdsl dot com dot au, 2006/01/14
- [Bug classpath/25202] javax.security.auth.login.LoginException: no configured modules for, mark at klomp dot org, 2006/01/15
- [Bug classpath/25202] javax.security.auth.login.LoginException: no configured modules for, raif at swiftdsl dot com dot au, 2006/01/15
- [Bug classpath/25202] javax.security.auth.login.LoginException: no configured modules for, cvs-commit at developer dot classpath dot org, 2006/01/15