Java Authentication and Authorization Service, or JAAS, pronounced "Jazz",
is the
Java
Java (; id, Jawa, ; jv, ꦗꦮ; su, ) is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea to the north. With a population of 151.6 million people, Java is the world's mo ...
implementation of the standard
Pluggable Authentication Module (PAM)
information security
Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthori ...
framework.
JAAS was introduced as an extension library to the
Java Platform, Standard Edition
Java Platform, Standard Edition (Java SE) is a computing platform for development and deployment of portable code for desktop and server environments. Java SE was formerly known as Java 2 Platform, Standard Edition (J2SE).
The platform uses J ...
1.3 and was integrated in version 1.4.
JAAS has as its main goal the
separation of concerns
In computer science, separation of concerns is a design principle for separating a computer program into distinct sections. Each section addresses a separate '' concern'', a set of information that affects the code of a computer program. A concern ...
of user authentication so that they may be managed independently. While the former
authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicat ...
mechanism contained information about where the code originated from and who signed that code, JAAS adds a marker about who runs the code. By extending the verification vectors JAAS extends the security architecture for Java applications that require authentication and
authorization
Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More f ...
modules.
Administration
For the
system administrator
A system administrator, or sysadmin, or admin is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems, especially multi-user computers, such as servers. The system administrator seeks to en ...
, JAAS consists of two kinds of
configuration file
In computing, configuration files (commonly known simply as config files) are files used to configure the parameters and initial settings for some computer programs. They are used for user applications, server processes and operating system ...
:
*
*.login.conf: specifies how to plug vendor-supplied
login
In computer security, logging in (or logging on, signing in, or signing on) is the process by which an individual gains access to a computer system by identifying and authenticating themselves. The user credentials are typically some form ...
modules into particular applications
*
*.policy: specifies which identities (users or programs) are granted which permissions
For example, an application may have this file indicating how different authentication mechanisms are to be run to authenticate the user:
PetShopApplication
Application interface
For the application developer, JAAS is a standard library that provides:
* a representation of identity (''
Principal'') and a set of credentials (''
Subject
Subject ( la, subiectus "lying beneath") may refer to:
Philosophy
*''Hypokeimenon'', or ''subiectum'', in metaphysics, the "internal", non-objective being of a thing
**Subject (philosophy), a being that has subjective experiences, subjective cons ...
'')
* a
login
In computer security, logging in (or logging on, signing in, or signing on) is the process by which an individual gains access to a computer system by identifying and authenticating themselves. The user credentials are typically some form ...
service that will invoke your application
callbacks
In computer programming, a callback or callback function is any reference to executable code that is passed as an argument to another piece of code; that code is expected to ''call back'' (execute) the callback function as part of its job. Thi ...
to ask the user things like username and
password
A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...
. It returns a new ''Subject''
* a service that tests if a Subject was granted a permission by an administrator.
Security system integration
For the security system integrator, JAAS provides interfaces:
* to provide your identity namespace to applications
* to attach credentials to threads (''Subject'')
* for developing
login
In computer security, logging in (or logging on, signing in, or signing on) is the process by which an individual gains access to a computer system by identifying and authenticating themselves. The user credentials are typically some form ...
modules. Your module invokes
callbacks
In computer programming, a callback or callback function is any reference to executable code that is passed as an argument to another piece of code; that code is expected to ''call back'' (execute) the callback function as part of its job. Thi ...
to query the user, checks their response and generates a ''Subject''.
Login Modules
Login modules are primarily concerned with authentication rather than authorization and form a widely used component of JAAS. A login module is required to implement the
javax.security.auth.spi.LoginModule interface, which specifies the following methods:
Note: A
Subject is the user that is attempting to log in.
*initialize: Code to initialize the login module, usually by storing the parameters passed into appropriate fields of the
Class.
*login: Actually check the credentials provided via an
Object that implements the
javax.security.auth.Callback interface (e.g. check against a database). This method could prompt the user for their login and password or it could use details previously obtained. It is important to note here that, if invalid credentials are supplied then a
javax.security.auth.login.FailedLoginException should be thrown (rather than returning false, which indicates that this login module should be ignored, which potentially allows authentication to succeed).
*commit: The identity of the subject has been verified, so code in this method sets up the
Principal and
Groups (roles) for the successfully authenticated subject. This method has to be written carefully in enterprise applications as Java EE application servers often expect the relationships between the
Principal and
Group objects to be set up in a certain way. This method should throw a
javax.security.auth.login.FailedLoginException if authentication fails (e.g. a user has specified an incorrect login or password).
*abort: Called if the authentication process itself fails. If this method returns false, then this Login Module is ignored.
*logout: Code that should be executed upon logout (e.g. could remove the
Principal from the
Subject or could invalidate a web session).
Login modules can provide single sign on (SSO) via a particular SSO protocol/framework (e.g.
SAML,
OpenID
OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provid ...
, and
SPNEGO), can check for the presence of hardware security tokens (e.g. USB token), etc. In an n-tier application,
LoginModules can be present on both the client side and server side.
LoginModule (javax.security.auth.spi.LoginModule)
Login modules are written by implementing this interface; they contain the actual code for authentication. It can use various mechanisms to authenticate user credentials. The code could retrieve a password from a database and compare it to the password supplied to the module.
LoginContext (javax.security.auth.login.LoginContext)
The login context is the core of the JAAS framework which kicks off the authentication process by creating a Subject. As the authentication process proceeds, the subject is populated with various principals and credentials for further processing.
Subject (javax.security.auth.Subject)
A subject represents a single user, entity or system –in other words, a client– requesting authentication.
Principal (java.security.Principal)
A principal represents the face of a subject. It encapsulates features or properties of a subject. A subject can contain multiple principals.
Credentials
Credentials are nothing but pieces of information regarding the subject in consideration. They might be account numbers, passwords, certificates etc. As the credential represents some important information, the further interfaces might be useful for creating a proper and secure credential –
javax.security.auth.Destroyable and
javax.security.auth.Refreshable. Suppose that after the successful authentication of the user you populate the subject with a secret ID (in the form of a credential) with which the subject can execute some critical services, but the credential should be removed after a specific time. In that case, one might want to implement the
Destroyable interface.
Refreshable might be useful if a credential has only a limited timespan in which it is valid.
See also
*
Apache Shiro
*
Keystore
OACC
References
External links
JAAS TutorialjGuard : open source project which can secure standalone or web applications based on JAAS*
SPNEGO Library - open source GNU LGPL project that relies on the JAAS framework to simplify Authentication and Authorization
{{Authentication APIs
Java APIs
Computer access control