public static Policy getPolicy Return the currently installed JAAS policy object. You must have the AuthPermission named getPolicy to invoke this method. This method will always return an object, because there is always a JAAS policy object in effect. public static void setPolicyPolicy policy Set the JAAS policy. You must have the AuthPermission named setPolicy to invoke this method. public abstract PermissionCollection getPermissionsSubject subject, CodeSource cs Retrieve the permissions that should be granted to the given code loaded from the given code source when it is run by the principals contained in the given subject. public abstract void refresh Refresh the policies in effect e.g., by rereading the JAAS policy file. Except for the subject parameter in the getPermissions method, this is the same API as the core Java Policy class. Heres how you can use this class to implement user−specific file permissions. Well assume that there are specific policies in the JAAS policy file that you want to apply, so we wont completely replace the PolicyFile class; instead, well take the permissions from that class and add to them: package javasec.samples.ch15; import java.util.; import java.io.; import java.security.CodeSource; import java.security.PermissionCollection; import java.security.Principal; import javax.security.auth.Subject; import javax.security.auth.Policy; public class UserPolicy extends Policy { private Policy deferredPolicy; public UserPolicyPolicy p { deferredPolicy = p; } public PermissionCollection getPermissionsSubject s, CodeSource cs { PermissionCollection pc = deferredPolicy.getPermissionss, cs; if s == null return pc; No subject means no specific permissions Set principals = s.getPrincipals ; Iterator i = principals.iterator ; while i.hasNext { Principal p = Principal i.next ; FilePermission fp = new FilePermissionFile.separator + files + File.separator + p.getName + File.separator + −, read,write,delete; pc.addfp; } return pc; } public void refresh { deferredPolicy.refresh ; } } This class is constructed with an instance of the policy class; it takes permissions from that class and adds the new file permissions to it. When it is asked for permissions for a particular subject, it gets the standard permissions for that subject, then iterates through the principal names in that subject and adds a file permission for each of them. So the user with the principal name sdo will be allowed to read, write, and delete all files in the entire hierarchy of filessdo. Depending on the login modules in place, this will grant additional probably harmless permissions. When authenticated with the Solaris login module, this will also grant me permissions on files45, files6058, and files20 based on the other principal types in the subject, which contain my login and group ID numbers. If you need to avoid this, base the permission on particular principal types. To use this, you must instantiate it with an instance of the existing Policy class: javax.security.auth.Policy.setPolicy new UserPolicyjavax.security.auth.Policy.getPolicy ; This is typically done within the main method of the application, but the policy can be changed at any time.

15.4.4 Administering a JAAS Policy

If you write a new JAAS policy class, you can install it either programmatically as we just showed or administratively, by placing the following line into the JREHOMElibsecurityjava.security file: auth.policy.provider=MyPolicyClass This works only for policy classes that have a default constructor; it wont work for our UserPolicy class because that class depends on another Policy class, to which it defers most of its work. However, unlike the core Policy class, this class need not be on the system classpath to be specified in the java.security file. The standard JAAS policy class will read a policy file specified on the command line as − Djava.security.auth.policy=policyfile as shown earlier. You can also set up the java.security file to specify default JAAS policy files by adding this line: auth.policy.url.1=policyURL Substitute the correct URL for policyURL . As with standard policy files, you may specify any number of files in the java.security file; each must be numbered consecutively, starting with 1. If the command−line java.security.auth.policy file is specified with a double equals sign = =, the entries in the java.security file will be ignored. On the other hand, if the property policy.allowSystemProperty in the java.security file is set to false , the command−line property will be ignored. This is all completely analogous to the core Java policy handling, except that there are no JAAS policy files listed by default in the java.security file.