This 10-Minute Solution provides a brief introduction to the Java Authentication and Authorization Service (JAAS) architecture, API, and programming model. It covers both authentication and authorization with JAAS, providing full working code examples that demonstrate JAAS security in action.
by Kyle Gabhart
Nov 7, 2002
Page 4 of 4
See JAAS in Action
Included with this Solution is a downloadable zip file that contains all the source code and class files necessary to see JAAS authentication and authorization in action.
SimpleAuth.java This file contains the main() method. It creates a LoginContext object by passing in a LoginModule configuration id ("JAAS_Module") and an instance of the CallbackHandler interface. The LoginContext reads a configuration file, looking for the configuration ID. Upon finding a match, it instantiates the specified LoginModules. Each LoginModule is initialized with a Subject, a CallbackHandler, shared LoginModule state, and LoginModule-specific options. Finally, the login process is kicked off by calling the login() method on the LoginContext object (which is implemented by the LoginModule class).
SimpleJAAS.config This file associates configuration IDs (simple text string) with LoginModules and optional properties.
SimpleCallbackHandler.java This file implements the CallbackHandler interface and handles the callback events passed by the security service components.
SimpleLoginModule.java This file implements the LoginModule interface and interfaces between the user and the CallbackHandler to authenticate the user. It uses two arrays to maintain the set of possible usernames and passwords. The passwords are then compared by passing a PasswordCallback instance to the SimpleCallbackHandler and using the readPassword() method defined in the SimpleCallbackHandler class.
SimplePrincipal.java This file provides a bare-bones implementation of the Principal interface.
SimpleAuthz.java This class is identical to the SimpleAuth.java class in all but one respect. After authenticating the user, it attempts a privileged action. To do this, the code obtains a reference to the current Subject and calls the doAsPrivileged() method from that object reference. We pass the Subject reference and an instance of the SimpleAction class into this method. The Java runtime then will take the supplied Subject reference and attempt to execute the privileged action defined within the run() method of the SimpleAction class.
SimpleAction.java This class implements the PrivilegedAction interface and defines a single method, run(). It attempts to perform a few actions that are restricted to privileged users (as defined by the policy file). If the Subject has the appropriate privileges to perform these actions, the method will execute without any trouble. Otherwise, it throws an exception.
SimpleJAAS.policy This file defines the activities for which permission has been granted and which code has permission to perform them (code-level access). These grant statements can further be narrowed to allow only a particular Principal (user-level access).
To test the application, run the provided script and indicate whether you want to test just authentication ('run auth') or authentication and authorization ('run authz'). When prompted for a username and password, provide any of the following pairs:
You will receive verbose output if the debug option in the config file debug property is set to 'true'. The output will be limited if it is set to 'false'.
DevX Java Pro Kyle Gabhart is an independent consultant, trainer, and public speaker specializing in Java technologies, XML, and Web services technologies. Visit his Web site http://www.gabhart.com to view his other writings and his upcoming speaking engagements. Kyle can be reached at firstname.lastname@example.org.