More than ever before, corporations are clamoring to evaluate their security architectures and identify any gaps. The Java platform, and specifically the J2EE platform, provides some of the most robust application-level security available today. The Java Authentication and Authorization Service (JAAS), which was introduced as an optional security package for the Java 2 SDK, Standard Edition, version 1.3, has been formally included as a part of the standard Java packages as of version 1.4.
This 10-Minute Solution provides a brief introduction to the JAAS (pronounced “Jazz”) architecture, API, and programming model. It covers both authentication and authorization with JAAS, providing full working code examples that demonstrate JAAS security in action.
How do I implement security, one of the most important aspects of today’s software applications, into my Java environment when most security implementations are inflexible, proprietary systems?
The Java Authentication and Authorization Service (JAAS) is a flexible, standardized API that supports runtime pluggability of security modules.What Is JAAS?
According to Sun’s Web site, “The Java Authentication and Authorization Service (JAAS) is a set of packages that enables services to authenticate and enforce access controls upon users. It implements a Java version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization.”
In practice, JAAS represents the new Java security standard, as it has formally been added to the JDK 1.4 code base. From an architectural standpoint, JAAS implements a Java version of the Pluggable Authentication Module (PAM) framework. First released in May 2000 by The PAM Forum, the framework is a modularized architecture designed to support the seamless exchange of one security protocol component for another. The framework allows multiple authentication technologies and/or authentication approaches to be added without changing or interfering with any of the existing login services. PAM can be used to integrate login services with various authentication technologies, such as RSA, DCE, Kerberos, S/Key, and even to support smart card-based authentication systems.
Authenticating with JAAS
JAAS authentication is deployed in a pluggable manner, using code modules that implement certain interfaces. This enables Java applications to remain decoupled from the underlying authentication technologies. Additional authentication protocols and updated authentication technologies can be plugged in at runtime without modifying the application or recompiling the source code.
The JAAS Authentication API is quite extensive. The key interfaces and classes that you need to familiarize yourself with are as follows:
Authorization with JAAS
JAAS authorization is built on top of JAAS authentication. It augments the existing code-centric access controls that were introduced with the Java 2 platform (JDK 1.2.x) with new user-centric access controls. In this way, JAAS authorization allows you to grant permissions based not on just what code is running but also on who is running it.
After a user has been authenticated by JAAS, the authorization API associates the Subject (created to represent the authenticated entity) with an appropriate access control context. Whenever the Subject attempts a restricted operation (database access, local file access, etc.), the Java runtime consults the policy file to determine which Principal(s) may perform the operation. If the Subject in question contains the designated Principal, the Java runtime allows the operation. Otherwise, it throws an exception.
You don’t need to import additional packages to access the JAAS authorization features, because JAAS authorization is built on top of JAAS authentication. In addition to the classes and interfaces used in the authentication piece, one additional interface is of interest for the simple example in this Solution:
See JAAS in Action
Included with this Solution is a downloadable zip file that contains all the source code and class files necessary to see JAAS authentication and authorization in action.
To test the application, run the provided script and indicate whether you want to test just authentication (‘run auth’) or authentication and authorization (‘run authz’). When prompted for a username and password, provide any of the following pairs:
You will receive verbose output if the debug option in the config file debug property is set to ‘true’. The output will be limited if it is set to ‘false’.