Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Use of private and public credentials in JAAS

Tags:

java

jaas

In an interview interviewer asked me why you need private credentials in JAAS?
We can access both public credentials and private credentials like :

Set<Object> privateCredentials = subject.getPrivateCredentials();
Set<Object> publicCredentials = subject.getPublicCredentials();

Both ( privateCredentials and publicCredentials ) are accessible and the way of access are same.
So, what is the significance for tow types of credentials?

like image 750
Shreyos Adikari Avatar asked Sep 25 '12 07:09

Shreyos Adikari

People also ask

What is private credentials in Java?

Private credentials are secrets. Since Subject objects can have a wide audience, these need to be hidden from access by "outsiders". The API provides restrictions for accessing the private credentials of a Subject, which are detailed in other answers. Examples: password.

How does JAAS authentication work?

JAAS authentication is performed in a pluggable fashion, so applications can remain independent from underlying authentication technologies. A system administrator determines the authentication technologies, or LoginModules, to be used for each application and configures them in a login Configuration.

Is a private key a credential?

Cryptographic keys, for example, represent credentials that enable the subject to sign or encrypt data. Public and private credential classes are not part of the core JAAS class library. Any class, therefore, can represent a credential.

2 Answers

From "Java and Internet Security" book by Theodore Shrader, Bruce A. Rich, Anthony J. Nadalin:

With somewhat more controversy, the JAAS designers concluded that Principals may have some sort of proof of identity that they need to be able to provide at a moment’s notice, and these proofs of identity may include sensitive information, so a set of public credentials and a set of private credentials were also added to Subject. Since the content of a credential may vary widely across authentication mechanisms, from a simple password to a fingerprint (to infinity and beyondl), the type of a credential was simply left as java.lang.Obiect. Relationships between Principals and credentials, if any, were left as an exercise for the implementer of the particular Principal class (or more likely, the particular LoginModule class). From a JAAS perspective, the only difference between private and public credentials is that a particular javax.security.auth.AuthPermission is required for access to the set of private credentials.

like image 162
kaos Avatar answered Oct 19 '22 14:10

kaos

From the JAAS Reference Guide:

In order to iterate through a Set of private credentials, you need a javax.security.auth.PrivateCredentialPermission to access each credential. See the PrivateCredentialPermission API documentation for further information.

like image 1
dngfng Avatar answered Oct 19 '22 13:10

dngfng
Sign in to Comment

Related questions

Java library to maintain a process pool
How to apply Static Weaving Ant Task with Eclipse-Link JPA in Netbeans?
Should the "connection" argument of doWork() be closed?
How to use Ctrl+Z and Ctrl+Y with all Text Components?
How to solve EI_EXPOSE_REP2 and why exactly its wrong
retrieving Exception Full stacktrace
How can I retrieve all items from the paginated result of a DynamoDBMapper query()?
ACRA vs Android developer console crash error report
Guice equivalent in C# [closed]
VisualVM socket.read
Confusion between mappings and types in ElasticSearch
How to initialize a Java Date object in Spring xml configuration file?
@parameters method is executed before @beforeclass method
Dealing with Singletons which have to subclass
Android Best way to convert byte array to Bitmap?
Getting the object of a singleton collection
Java ExecutorService pause/resume a specific thread
Found reliance on default encoding in FileReader [duplicate]
Java Web Start Error "Can not find message file"
How do I add a new Currency to java.util.Currency for an existing country code in Java 7?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!