|
|
Featured White Papers
Sponsored Links
-
Career opportunities at Harman- Careers That’ll Rock Your Socks Off.
Learn More!
-
Developer-friendly Java PDF libraries by Qoppa Software
Live Demos
-
Stop blaming your app! Diagnose Java performance issues.
Free tool >
-
UrbanCode: Go From Continuous Integration to
Continuous DeliveryLearn More!
Sponsored Links
Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs
All that JAAS
Scalable Java security with JAAS
Page 4 of 6
The last element here, credential, is not a class or an interface, but can be any object. Credentials can include any authentication
artifact, such as a ticket, key, or password, that specific security systems might require. The Subject class maintains unique Sets of private and public credentials, which can be retrieved with methods such as getPrivateCredentials() and getPublicCrendentials(). These methods are more often used by security subsystems than at the application layer.
Authentication: LoginContext
Your application layer uses LoginContext as its primary class for authenticating Subjects. LoginContext also represents where JAAS's dynamic pluggability comes into play, because when you construct a LoginContext, you specify a named configuration to load. The LoginContext typically loads the configuration information from a text file, which in turn tells the LoginContext which LoginModules to use during login.
The three commonly used methods in LoginContext are:
login() |
Performs login, a relatively complex step that invokes all LoginModules specified for this configuration. If it succeeds, it creates an authenticated Subject. If it fails, it throws a LoginException.
|
getSubject()
|
Returns the authenticated Subject.
|
logout() |
Logs out the authenticated Subject and removes its Principals and credentials.
|
We will show how to use these methods later.
Authentication: LoginModule
LoginModule is the interface to specific authentication mechanisms. J2SE 1.4 ships with a set of ready-to-use LoginModules, including:
JndiLoginModule |
Verifies against a directory service configured under JNDI (Java Naming and Directory Interface) |
Krb5LoginModule
|
Authenticates using Kerberos protocols |
NTLoginModule |
Uses the current user's NT security information to authenticate |
UnixLoginModule |
Uses the current user's Unix security information to authenticate |
Along with these modules comes a set of corresponding concrete Principal implementations in the com.sun.security.auth package, such as NTDomainPrincipal and UnixPrincipal.
The LoginModule interface has five methods:
initialize() |
Called after the LoginModule is constructed.
|
|
Performs the authentication. |
commit() |
Called by the LoginContext after it has accepted the results from all LoginModules defined for this application. We assign Principals and credentials to the Subject here.
|
abort() |
Called when any LoginModule for this application fails (even though earlier ones in sequence may have succeeded—thus akin to a 2PC model). No Principals or credentials are assigned to the Subject.
|
logout() |
Removes the Principals and credentials associated with the Subject.
|
The application layer calls none of these methods directly—the LoginContext invokes them as needed. Our example below will elaborate on these methods' implementations.
Authentication: CallbackHandlers and Callbacks
CallbackHandlers and Callbacks let a LoginModule gather necessary authentication information from a user or system, while remaining independent of the actual interaction
mechanism. We'll leverage that capability in our design—our RdbmsLoginModule does not depend on how the user credentials (username/password) are obtained and can thus be used in the different application
environments we will illustrate (either from the command line or from a JSP).
- Feedback
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Resources
- Download the source code that accompanies this article
http://www.javaworld.com/javaworld/jw-09-2002/jaas/jw-0913-jaas.zip - Sun's JAAS homepage
http://java.sun.com/products/jaas - Scott Stark's "Integrate Security Infrastructures with JBossSX" (JavaWorld, August 2001) features detailed examples of standard J2EE declarative security (for both Enterprise JavaBeans and Web applications),
covers JAAS, and explains how to set up security domains within JBoss
http://www.javaworld.com/javaworld/jw-08-2001/jw-0831-jaas.html - "Java Security Evolution and Concepts," Raghavan N. Srinivas (JavaWorld)
-
- Part 1Learn computer security concepts and terms in this introductory overview (April 2000)
- Part 2Discover the ins and outs of Java security (July 2000)
- Part 3Tackle Java applet security with confidence (December 2000)
- Part 4Learn how optional packages extend and enhance Java security (May 2001)
- Part 5J2SE 1.4 offers numerous improvements to Java security (December 2001)
- Sun's J2SE 1.4 includes JAAS as well as Java Cryptography Extension (JSE), Java Secure Socket Extension (JSSE), Generic Security
Service (GSS) API, and the Certificate Path API
http://java.sun.com/j2se/1.4 - Reference page for javax.security.auth.login.Configuration, which details the structure and semantics of the login configuration
file
http://java.sun.com/j2se/1.4/docs/api/javax/security/auth/login/Configuration.html - BEA's guide to using JAAS with WebLogic
http://e-docs.bea.com/wls/docs61/security/prog.html#1039659 - Sun's Java security homepage
http://java.sun.com/security/ - JSR (Java Specification Request) 115Java Authorization Contract for Containers
http://www.jcp.org/jsr/detail/115.jsp.com - Sun's paper on understanding its Pluggable Authentication Framework (PAM), "Making Login Services Independent of Authentication
Technologies," Vipin Samar and Charlie Lai
http://java.sun.com/security/jaas/doc/pam.html - Resin application server homepage
http://www.caucho.com/ - MySQL open source database homepage
http://www.mysql.com - For more security stories, visit the Security section of JavaWorld's Topical Index
http://www.javaworld.com/channel_content/jw-security-index.shtml - Browse the JavaServer Pages section of JavaWorld's Topical Index
http://www.javaworld.com/channel_content/jw-jsp-index.shtml - Discuss security in our Java Security discussion
http://forums.idg.net/webx?230@@.ee6b80e!skip=166 - For more security-related articles, sign up for JavaWorld's free weekly Applied Java email newsletter
http://www.javaworld.com/subscribe - You'll find a wealth of IT-related articles from our sister publications at IDG.net
Sponsored Links
FREE JRebel Download...Say Goodbye to Java Redeploys!
Open Source Java CMS for Your Enterprise Needs - Try dotCMS for Free
Java Development Outsourcing: nearshore agile Java development.
About Us | Advertise | Contact Us | Terms of Service/Privacy | AdChoices
Copyright, 2006-2012 Infoworld, Inc. All rights reserved.