The backbone of a J2EE SSO architecture is the standard J2EE security model, which is well documented in other places (see Related Resources in the left-hand column). In a nutshell, J2EE security consists of principals (users) who are associated with roles (groups) that are given privileges (authorization). These roles with assigned privileges are further organized under the concept of a realm (domain). Each realm maps users and groups to privileges within its own scope. The key to providing SSO is seamlessly connecting these different realms (and corresponding enterprise systems) without requiring the user to enter authentication information each time he or she wishes to access another system.
Consider the following example: A user logs in to an application via HTTP, authenticating herself against the server's security realm (MemoryRealm, JDBCRealm, JAASRealm, etc). The user then uses the Web application's search feature, querying the database and returning a resultlist. The database could then require that the middleware platform authenticate against the DB before performing the transaction. Finally, the user wants to update information stored in her directory server (LDAP). This is a privileged action, requiring the user to first authenticate against the LDAP realm before modifying any directory data. All three of these realms likely require slightly different authentication schemes (different user IDs, passwords, additional security tokens, etc.), but the same principal (user) is accessing them each time.
Java can provide an elegant SSO solution for the above scenario (and any number of similar scenarios) using JAAS's pluggable login module architecture. JAAS login modules facilitate the smooth integration of J2EE's security framework with various systems and their respective heterogeneous authentication mechanisms (OS, LDAP, database, etc.). These modules can be configured to share authentication data and designed to correctly identify users and roles by mapping principals and roleseven across domains with differing security schemas.
The application components required for a JAAS SSO solution include the following:
- Two or more enterprise systems that need a common, integrated security framework
- Two or more JAAS login module classes to drive the authentication exchange between agent (user or subsystem) and callback handler
- One or more JAAS callback handler classes to respond to callback events in order to perform the actual authentication procedure(s)
- A login configuration file to define how JAAS will manage authentication across multiple security realms (configuration could even be stored in an XML file or database)
Assembling these components and connecting all of the pieces correctly can be a bit daunting the first time. Be sure to thoroughly test your JAAS authentication components individually with each system prior to attempting to link them and share authentication information. The process of packaging, deploying, and testing your solution should go something like this:
- Write a login module (implement
LoginModule, a subtype of
LoginContext) and a callback handler (implement
CallbackHandler interface) for authenticating against a single enterprise system (LDAP, database, etc.).
- Define the configuration for your login module (this could be as simple as an XML file containing a single statement).
- Define a UI (Web, console, or rich GUI) to capture authentication data, and then pass it to your login module.
- If this is a server-based solution (HTTP, sockets, RMI, etc.), define the J2EE security (constraints and roles) on the server in the usual way (
application.xml), and then define a realm on the server (
server.xml) that references the JAAS login module configuration (accomplished via the
appName attribute). Local (non-server) solutions will simply rely upon JAAS and a J2SE policy file to define security constraints and permissions.
- Start the server (specifying the login configuration file via a Java command line attribute), launch the client, and provide authentication credentials. Debug and modify as necessary to resolve any errors.
- Rinse and repeat. Continue this process as necessary until each enterprise system can successfully be authenticated via a JAAS login module.
- Finally, hook all of the individual authentication pieces together. The following section addresses this issue.
The above list simply gives you a brief overview of the process. For more details on how to actually accomplish these steps, please consult the links in the Related Resources space.