Some basic questions about JAAS
843811Sep 13 2008 — edited Sep 13 2008I am confused about the general use of the JAAS mechanism in Java. Hopefully someone can answer these hopefully not too naive questions:
1. Does it ever make sense to use java.net.Authenticator instead of JAAS?
2. JAAS allows the definition of an assumedly text based Configuration file that instructs the LoginContext how to stack various login mechanisms on top of each other. Wouldn't this be easily hacked by the user, where one would only need to edit this known file and remove the authentication requirement(s)?
3. I am confused about the utility of the Subject.doAs... priviledged security actions. Specifically, does this absolutely prevent a hacker from running the program in a debugger and running certain bytecode? I have read the tutorial section on what Subject.doAs... provides, but does this stop a hacker from obtaining the PrivilegedAction object (or code inside it) and somehow executing that code in a debugger or in a custom jar?
Thank You,
Eric