AuthPermission (Java SE 11 & JDK 11 ) (original) (raw)
This class is for authentication permissions. An AuthPermission contains a name (also referred to as a "target name") but no actions list; you either have the named permission or you don't.
The target name is the name of a security configuration parameter (see below). Currently the AuthPermission object is used to guard access to the Subject,LoginContext, andConfiguration objects.
The standard target names for an Authentication Permission are:
doAs - allow the caller to invoke the
`Subject.doAs` methods.
doAsPrivileged - allow the caller to invoke the
`Subject.doAsPrivileged` methods.
getSubject - allow for the retrieval of the
Subject(s) associated with the
current Thread.
getSubjectFromDomainCombiner - allow for the retrieval of the
Subject associated with the
a `SubjectDomainCombiner`.
setReadOnly - allow the caller to set a Subject
to be read-only.
modifyPrincipals - allow the caller to modify the `Set`
of Principals associated with a
`Subject`
modifyPublicCredentials - allow the caller to modify the
`Set` of public credentials
associated with a `Subject`
modifyPrivateCredentials - allow the caller to modify the
`Set` of private credentials
associated with a `Subject`
refreshCredential - allow code to invoke the `refresh`
method on a credential which implements
the `Refreshable` interface.
destroyCredential - allow code to invoke the `destroy`
method on a credential `object`
which implements the `Destroyable`
interface.
createLoginContext.{name} - allow code to instantiate a
`LoginContext` with the
specified `name`. `name`
is used as the index into the installed login
`Configuration`
(that returned by
`Configuration.getConfiguration()`).
_name_ can be wildcarded (set to '*')
to allow for any name.
getLoginConfiguration - allow for the retrieval of the system-wide
login Configuration.
createLoginConfiguration.{type} - allow code to obtain a Configuration
object via
`Configuration.getInstance`.
setLoginConfiguration - allow for the setting of the system-wide
login Configuration.
refreshLoginConfiguration - allow for the refreshing of the system-wide
login Configuration.Please note that granting this permission with the "modifyPrincipals", "modifyPublicCredentials" or "modifyPrivateCredentials" target allows a JAAS login module to populate principal or credential objects into the Subject. Although reading information inside the private credentials set requires a PrivateCredentialPermission of the credential type to be granted, reading information inside the principals set and the public credentials set requires no additional permission. These objects can contain potentially sensitive information. For example, login modules that read local user information or perform a Kerberos login are able to add potentially sensitive information such as user ids, groups and domain names to the principals set.
The following target name has been deprecated in favor ofcreateLoginContext.{name}.
createLoginContext - allow code to instantiate a
`LoginContext`.