Java Authentication and Authorization Service
Uploaded by
sohelsunJava Authentication and Authorization Service
Uploaded by
sohelsunJava Authentication and Authorization Service - Wikipedia, the free e...
https://en.wikipedia.org/wiki/Java_Authentication_and_Authorization...
Java Authentication and Authorization Service
From Wikipedia, the free encyclopedia
Java Authentication and Authorization Service, or JAAS, pronounced "Jazz",[1] is the Java
implementation of the standard Pluggable Authentication Module (PAM) information security framework.[2]
JAAS was introduced as an extension library to the Java Platform, Standard Edition 1.3 and was integrated
in version 1.4.[2]
The main goal of JAAS is to separate the concerns of user authentication so that they may be managed
independently. While the former authentication mechanism contained information about where the code
originated from and who signed that code, JAAS adds a marker about who runs the code. By extending the
verification vectors JAAS extends the security architecture for Java applications that require authentication
and authorization modules.
Contents
1 Administration
2 Application interface
3 Security system integration
4 Login Modules
4.1 LoginModule (javax.security.auth.spi.LoginModule)
4.2 LoginContext (javax.security.auth.login.LoginContext)
4.3 Subject (javax.security.auth.Subject)
4.4 Principal (java.security.Principal)
4.5 Credentials
5 Form Authentication
6 See also
7 References
8 External links
Administration
For the system administrator, JAAS consists of two kinds of configuration file:
*.login.conf:
*.policy:
specifies how to plug vendor-supplied login modules into particular applications
specifies which identities (users or programs) are granted which permissions
For example, an application may have this login.conf file indicating how different authentication
mechanisms are to be run to authenticate the user:
PetShopApplication {
com.sun.security.auth.module.LdapLoginModule sufficient;
com.foo.SmartcardLoginModule
requisite;
com.sun.security.auth.module.UnixLoginModule required debug=true;
1 sur 4
Java Authentication and Authorization Service - Wikipedia, the free e...
2 sur 4
https://en.wikipedia.org/wiki/Java_Authentication_and_Authorization...
Application interface
For the application developer, JAAS is a standard library that provides:
a representation of identity (Principal) and a set of credentials (Subject)
a login service that will invoke your application callbacks to ask the user things like username and
password. It returns a new Subject
a service that tests if a Subject was granted a permission by an administrator.
Security system integration
For the security system integrator, JAAS provides interfaces:
to provide your identity namespace to applications
to attach credentials to threads (Subject)
for developing login modules. Your module invokes callbacks to query the user, checks their response
and generates a Subject.
Login Modules
Login modules are primarily concerned with authentication rather than authorization and form a widely used
component of JAAS. A login module is required to implement the javax.security.auth.spi.LoginModule
interface, which specifies the following methods:
Note: A Subject is the user that is attempting to log in.
initialize: Code to initialize the login module, usually by storing the parameters passed into
appropriate fields of the Class.
login: Actually check the credentials provided via an Object that implements the
javax.security.auth.Callback interface (e.g. check against a database). This method could prompt the
user for their login and password or it could use details previously obtained. It is important to note
here that, if invalid credentials are supplied then a javax.security.auth.login.FailedLoginException
should be thrown (rather than returning false, which indicates that this login module should be
ignored, which potentially allows authentication to succeed).
commit: The identity of the subject has been verified, so code in this method sets up the Principal and
Groups (roles) for the successfully authenticated subject. This method has to be written carefully in
enterprise applications as Java EE application servers often expect the relationships between the
Principal and Group objects to be set up in a certain way. This method should throw a
javax.security.auth.login.FailedLoginException if authentication fails (e.g. a user has specified an
incorrect login or password).
abort: Called if the authentication process itself fails. If this method returns false, then this Login
Module is ignored.
Java Authentication and Authorization Service - Wikipedia, the free e...
3 sur 4
https://en.wikipedia.org/wiki/Java_Authentication_and_Authorization...
logout: Code that should be executed upon logout (e.g. could remove the Principal from the Subject or
could invalidate a web session).
Login modules can provide single sign on (SSO) via a particular SSO protocol/framework (e.g. SAML,
OpenID, and SPNEGO), can check for the presence of hardware security tokens (e.g. USB token), e.t.c. In
an n-tier application, Login Modules can be present on both the client side and server side.
LoginModule (javax.security.auth.spi.LoginModule)
Login modules are written by implementing this interface; they contain the actual code for authentication. It
can use various mechanisms to authenticate user credentials. The code could retrieve a password from a
database and compare it to the password supplied to the module.
LoginContext (javax.security.auth.login.LoginContext)
The login context is the core of the JAAS framework which kicks off the authentication process by creating
a Subject. As the authentication process proceeds, the subject is populated with various principals and
credentials for further processing.
Subject (javax.security.auth.Subject)
A subject represents a single user, entity or system in other words, a client requesting authentication.
Principal (java.security.Principal)
A principal represents the face of a subject. It encapsulates features or properties of a subject. A subject can
contain multiple principals.
Credentials
Credentials are nothing but pieces of information regarding the subject in consideration. They might be
account numbers, passwords, certificates etc. As the credential represents some important information, the
further interfaces might be useful for creating a proper and secure credential
javax.security.auth.Destroyable and javax.security.auth.Refreshable. Suppose that after the successful
authentication of the user you populate the subject with a secret ID (in the form of a credential) with which
the subject can execute some critical services, but the credential should be removed after a specific time. In
that case, one might want to implement the Destroyable interface. Refreshable might be useful if a credential
has only a limited timespan in which it is valid.
Form Authentication
Form authentication is another commonly used part of JAAS. In this process the user is typically presented
with a web page containing a form asking for a username and password. This data is then submitted via
POST to a URL containing the text "j_security_check", e.g. www.example.com/j_security_check . The
credentials are checked on the server side and a session ID is returned to the client via a cookie. This
authentication method is flexible in that a Java HTTP client such as Apache HTTP client can be used in
place of a web-browser, e.g. in a desktop application, as long as the following standard steps are followed:
Request a protected URL (i.e. secured via a security-constraint element) in web.xml (where the login-
Java Authentication and Authorization Service - Wikipedia, the free e...
4 sur 4
https://en.wikipedia.org/wiki/Java_Authentication_and_Authorization...
config element has specified an authentication method of "FORM").
The server will return a redirect (302) to the security check URL mentioned above along with a cookie
containing the session ID ("JSESSIONID=...").
Send the username and password (encoded as form fields) along with the cookie via an HTTP POST
to the security check URL.
If authentication is successful, the server will send a 302 back to the original protected URL.
Send a GET request to that URL, passing the session ID cookie (preferably assert that the response
contains what you would expect from that original URL).
Additional assertions can be added to the above process.
See also
Apache Shiro
Keystore
OACC (http://oaccframework.org)
References
1. Theodore J. Shrader, Bruce A. Rich, Anthony J. Nadalin. JavaTM and internet security (http://books.google.ca
/books?id=JY7c3AIIXqMC&lpg=PA152&ots=wcjOldwm4i&pg=PA152#v=onepage&q&f=false). p. 152.
2. "Java Authentication and Authorization Service (JAAS) Reference Guide" (http://download.oracle.com/javase
/6/docs/technotes/guides/security/jaas/JAASRefGuide.html). oracle.com. Oracle Corporation. Retrieved 22 May
2012.
External links
JAAS Tutorial (http://www.javaranch.com/journal/2008/04/Journal200804.jsp#a6)
jGuard : open source project which can secure standalone or web applications based on JAAS
(http://jguard.xwiki.com)
All that JAAS - Java World (http://www.javaworld.com/javaworld/jw-09-2002/jw-0913-jaas.html)
Retrieved from "http://en.wikipedia.org
/w/index.php?title=Java_Authentication_and_Authorization_Service&oldid=643210995"
Categories: Java platform Java APIs Computer access control
This page was last modified on 19 January 2015, at 15:04.
Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may
apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia is a registered
trademark of the Wikimedia Foundation, Inc., a non-profit organization.
