SSL Myth Busting: Java Authentication and Authorization Services (JAAS) Framework Handles All Protocols and Mechanisms Securely [Nope.]
Onto the next post inces (JAAS) framework handles all protocols and mechanisms in a secure manner.
The Internet resources and SOA Web pages are Web applications. As such, they make use of the JAAS framework, which is a user-centric authentication and authorization collection of Eclipse plug-ins to manage authentication and authorization within an application built on the Rich Client Platform framework. The plug-ins provide an implementation of the JAAS API and can be extended by developers to support their own security needs.
The code snippet below shows how easy it is to disable every authorization check in a system implementing
public pointcut hackJAAS();
: call( * AccessController.checkPermission(..) );
void around() : hackJAAS()
//Do nothing. No proceed-call.
The reason this is such an easy task is that JAAS is a standardized framework. To perform an authorization check, a user must call AccessController.checkPermission. Yet, everyone knows this—both lawful programmers and hackers. That means that if an application uses JAAS, a hacker automatically know which code they need to disable. The hacker doesn’t need to see the source code, nor do they need to see any kind of documentation. The Norwegian Information Security Laboratory does an excellent job of explaining the technical details of this vulnerability, if you'd like more information.
For now - another myth busted.