Re: Security in JDK 1.2; principal, authentication primitives, etc.

David Brownell (db@eng.sun.com)
Mon, 19 Apr 1999 14:01:11 -0700

Date: Mon, 19 Apr 1999 14:01:11 -0700
From: David Brownell <db@eng.sun.com>
To: "Manchala, Daniel" <manchala@cp10.es.xerox.com>
Subject: Re: Security in JDK 1.2; principal, authentication primitives, etc.

Actually, that paper had some bugs in it in those areas.
There's been a java.security.Principal interface since
JDK 1.1, and the java.security.acl package for authorization
was also provided at the same time.

However, there were no standard ways to access trustworthy
implementations of those interfaces, and the ACL package
has since been deprecated. The primary use was in fact for
server applications which, clearly, need to authenticate
their clients (not just the server VM) and authorize them;
it was the server environments which provided such trustworthy
implementations.

I'll let someone else describe the followup for that early
Java Platform work.

- Dave

"Manchala, Daniel" wrote:
>
> Li Gong's article dated October 2, 1998 states the following. Question: When
> will JDK 1.2 have these 4 features?
>
> We are interested in all four for application integration with security.
>
> Are there any commercial products (startups?) doing this?
>
> Daniel.
>
> > 8 Discussion and Future Directions
> > 8.1 Users, Authentication, and Credentials
> > Today the notion of a principal (e.g., user) is implicit because each JVM
> > is owned by one user. In the future, there will be a need to extend the
> > existing concept of ProtectionDomain to include the notion of
> > "running-on-behalf of" a principal.
> > Therefore, we are actively looking to provide the following features in
> > the near future:
> > * explicit principal concept and classes
> > * user authentication primitives (both password-based and otherwise)
> > * cross-protection-domain principal authentication protocols
> > * general mechanisms for authorization and delegation
> >
> >