Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Use of private and public credentials in JAAS

Tags:

java

jaas

In an interview interviewer asked me why you need private credentials in JAAS?
We can access both public credentials and private credentials like :

Set<Object> privateCredentials = subject.getPrivateCredentials();
Set<Object> publicCredentials = subject.getPublicCredentials();

Both ( privateCredentials and publicCredentials ) are accessible and the way of access are same.
So, what is the significance for tow types of credentials?

like image 750
Shreyos Adikari Avatar asked Sep 25 '12 07:09

Shreyos Adikari


People also ask

What is private credentials in Java?

Private credentials are secrets. Since Subject objects can have a wide audience, these need to be hidden from access by "outsiders". The API provides restrictions for accessing the private credentials of a Subject, which are detailed in other answers. Examples: password.

How does JAAS authentication work?

JAAS authentication is performed in a pluggable fashion, so applications can remain independent from underlying authentication technologies. A system administrator determines the authentication technologies, or LoginModules, to be used for each application and configures them in a login Configuration.

Is a private key a credential?

Cryptographic keys, for example, represent credentials that enable the subject to sign or encrypt data. Public and private credential classes are not part of the core JAAS class library. Any class, therefore, can represent a credential.


2 Answers

From "Java and Internet Security" book by Theodore Shrader, Bruce A. Rich, Anthony J. Nadalin:

With somewhat more controversy, the JAAS designers concluded that Principals may have some sort of proof of identity that they need to be able to provide at a moment’s notice, and these proofs of identity may include sensitive information, so a set of public credentials and a set of private credentials were also added to Subject. Since the content of a credential may vary widely across authentication mechanisms, from a simple password to a fingerprint (to infinity and beyondl), the type of a credential was simply left as java.lang.Obiect. Relationships between Principals and credentials, if any, were left as an exercise for the implementer of the particular Principal class (or more likely, the particular LoginModule class). From a JAAS perspective, the only difference between private and public credentials is that a particular javax.security.auth.AuthPermission is required for access to the set of private credentials.

like image 162
kaos Avatar answered Oct 19 '22 14:10

kaos


From the JAAS Reference Guide:

In order to iterate through a Set of private credentials, you need a javax.security.auth.PrivateCredentialPermission to access each credential. See the PrivateCredentialPermission API documentation for further information.

like image 1
dngfng Avatar answered Oct 19 '22 13:10

dngfng