In an interview interviewer asked me why you need private credentials in JAAS
?
We can access both public credentials and private credentials like :
Set<Object> privateCredentials = subject.getPrivateCredentials();
Set<Object> publicCredentials = subject.getPublicCredentials();
Both ( privateCredentials
and publicCredentials
) are accessible and the way of access are same.
So, what is the significance for tow types of credentials?
Private credentials are secrets. Since Subject objects can have a wide audience, these need to be hidden from access by "outsiders". The API provides restrictions for accessing the private credentials of a Subject, which are detailed in other answers. Examples: password.
JAAS authentication is performed in a pluggable fashion, so applications can remain independent from underlying authentication technologies. A system administrator determines the authentication technologies, or LoginModules, to be used for each application and configures them in a login Configuration.
Cryptographic keys, for example, represent credentials that enable the subject to sign or encrypt data. Public and private credential classes are not part of the core JAAS class library. Any class, therefore, can represent a credential.
From "Java and Internet Security" book by Theodore Shrader, Bruce A. Rich, Anthony J. Nadalin:
With somewhat more controversy, the JAAS designers concluded that Principals may have some sort of proof of identity that they need to be able to provide at a moment’s notice, and these proofs of identity may include sensitive information, so a set of public credentials and a set of private credentials were also added to Subject. Since the content of a credential may vary widely across authentication mechanisms, from a simple password to a fingerprint (to infinity and beyondl), the type of a credential was simply left as java.lang.Obiect. Relationships between Principals and credentials, if any, were left as an exercise for the implementer of the particular Principal class (or more likely, the particular LoginModule class). From a JAAS perspective, the only difference between private and public credentials is that a particular javax.security.auth.AuthPermission is required for access to the set of private credentials.
From the JAAS Reference Guide:
In order to iterate through a Set of private credentials, you need a
javax.security.auth.PrivateCredentialPermission
to access each credential. See thePrivateCredentialPermission
API documentation for further information.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With