Java Authentication and Authorization Service
Encyclopedia
Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is a Java
security framework for user-centric security to augment the Java code-based security. Since Java Runtime Environment
1.4 JAAS has been integrated with the JRE - previously JAAS was supplied as an extension library by Sun.
JAAS's main goal is to separate the concerns of user authentication so that they may be managed independently. JAAS introduces a new term to the security architecture of the Java platform as an additional layer for the verification. While the former authentication mechanism contained information about where the code originated from and who is the signer of the code snippet, the latter platform adds a marker about who runs the code. By extending the verification vectors JAAS extends the security architecture for Java applications that require authentication and authorization modules.
For example, an application may have this login.conf file indicating how different authentication mechanisms are to be run to authenticate the user:
PetShopApplication {
com.sun.security.auth.module.LdapLoginModule sufficient;
com.foo.SmartcardLoginModule requisite;
com.sun.security.auth.module.UnixLoginModule required debug=true;
};
Java (programming language)
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
security framework for user-centric security to augment the Java code-based security. Since Java Runtime Environment
Java Virtual Machine
A Java virtual machine is a virtual machine capable of executing Java bytecode. It is the code execution component of the Java software platform. Sun Microsystems stated that there are over 4.5 billion JVM-enabled devices.-Overview:...
1.4 JAAS has been integrated with the JRE - previously JAAS was supplied as an extension library by Sun.
JAAS's main goal is to separate the concerns of user authentication so that they may be managed independently. JAAS introduces a new term to the security architecture of the Java platform as an additional layer for the verification. While the former authentication mechanism contained information about where the code originated from and who is the signer of the code snippet, the latter platform adds a marker about who runs the code. By extending the verification vectors JAAS extends the security architecture for Java applications that require authentication and authorization modules.
Administration
For the system administrator, JAAS consists of two kinds of configuration file:- *.login.conf: specifies how to plug vendor-supplied login modules into particular applications
- *.policy: specifies which identities (users or programs) are granted which permissions
For example, an application may have this login.conf file indicating how different authentication mechanisms are to be run to authenticate the user:
PetShopApplication {
com.sun.security.auth.module.LdapLoginModule sufficient;
com.foo.SmartcardLoginModule requisite;
com.sun.security.auth.module.UnixLoginModule required debug=true;
};
Application interface
For the application developer, JAAS is a standard library that provides:- a representation of identity (Principal) and a set of credentials (Subject)
- a login service that will invoke your application callbacks to ask the user things like username and password. It returns a new Subject
- a service that tests if a Subject was granted a permission by an administrator.
Security system integration
For the security system integrator, JAAS provides interfaces:- to provide your identity namespace to applications
- to attach credentials to threads (Subject)
- for developing login modules. Your module invokes callbacks to query the user, checks their response and generates a Subject.
See also
- PAMPluggable Authentication ModulesPluggable authentication modules are a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface . It allows programs that rely on authentication to be written independent of the underlying authentication scheme...
- Apache ShiroApache ShiroApache Shiro is an open source software security framework that performs authentication, authorization, cryptography and session management. Shiro has been designed to be an intuitive and easy-to-use framework while still providing robust security features....
- Enterprise JavaBean#Security
- KeystoreKeystoreA Java KeyStore is a repository of security certificates, either Authorization certificates or Public key certificates - used for instance in SSL encryption.In WebLogic server, a file with extension jks serves as keystore....