All that JAAS

Scalable Java security with JAAS

By John Musser and Paul Feuer, JavaWorld.com, 09/13/02

Page 3 of 6

With any of these approaches, note that you can change some of the JAAS-related system property settings (as well as many other Java security settings) in the Java security properties file. This file, java.security, is located in the <jre-home>/lib/security directory and written in the standard Java properties file format.

Using JAAS authentication from your application typically involves the following steps:

1. Create a LoginContext
2. Optionally pass a CallbackHandler to the LoginContext, for gathering or processing authentication data
3. Perform authentication by calling the LoginContext's login() method
4. Perform privileged actions using the returned Subject (assuming login succeeds)

Here's a minimal example:

    LoginContext lc = new LoginContext("MyExample");
    try {
        lc.login();
    } catch (LoginException) {
        // Authentication failed.
    }
    // Authentication successful, we can now continue.
    // We can use the returned Subject if we like.
    Subject sub = lc.getSubject();
    Subject.doAs(sub, new MyPrivilegedAction());

Underneath the covers, a few other things occur:

1. During initialization, the LoginContext finds the configuration entry "MyExample" in a JAAS configuration file (which you configured) to determine which LoginModules to load (see Figure 2)
2. During login, the LoginContext calls each LoginModule's login() method
3. Each login() method performs the authentication or enlists a CallbackHandler
4. The CallbackHandler uses one or more Callbacks to interact with the user and gather input
5. A new Subject instance is populated with authentication details such as Principals and credentials

We'll explain further details below, but to begin, let's look at the key JAAS classes and interfaces involved in the process. These are typically divided into the following three groups:

Most of these classes and interfaces are in the javax.security.auth package's subpackages, with some prebuilt implementations in the com.sun.security.auth package, included only in J2SE 1.4.

Note: Because we focus on authentication in this article, we don't delve into the authorization classes.

Common: Subjects, Principals, and Credentials

The Subject class represents an authenticated entity: an end-user or administrator, or a Web service, device, or another process. The class contains three sets of security information types:

• Identities: In the form of one or more Principals
• Public credentials: Such as name or public keys
• Private credentials: Like passwords or private keys

Principals represent Subject identities. They implement the java.security.Principal interface (which predates JAAS) and java.io.Serializable. A Subject's most important method is getName(), which returns an identity's string name. Since a Subject instance contains an array of Principals, it can thus have multiple names. Because a social security number, login ID, email address, and so on, can all represent one user, multiple identities prove common in the real world.