Chapter 9 Using the JAAS API

Introduction

The Java Authentication and Authorization Service (JAAS) provides a framework and standard programming interface for authenticating users and assigning privileges. JAAS is based on the Pluggable Authentication Module (PAM) standard, which extends the access-control architecture of the Java 2 platform to support user-based authentication and authorization.

JAAS support is provided in EAServer as an alternative authentication mechanism. EAServer supports user name-password based JAAS authentication. The code-level authorization component of JAAS is not supported in this version of EAServer.

   JAAS required when using corbaname URLs in clients If an EJB client uses corbaname or corbaloc interoperable naming URLs, you must specify the user name and password using the JAAS API. See the "EAServer EJB Interoperability" chapter in the EAServer Programmer's Guide for more information on corbaname URLs and other interoperability features.

See the Java software Web site http://www.javasoft.com/products/jaas for more information about JAAS.

There are several new terms that are used throughout this chapter:

Principal represents a user identity that is used to gain access to a computing service. Typically, a user's login name or public key.

Credentials represents a security attribute of a principal. Typically, a user's password or public-key certificate. The credential is set in the subject when a principal is authenticated successfully.

Subject is an entity that has one or more principals and corresponding security attributes.

A login context is a JAAS framework for developing applications independent of underlying authentication technology.

A login module is an authentication module that can be plugged in under a Java application using JAAS framework. The module implements the JAAS javax.security.auth.spi.LoginModule interface. It performs any authentication either on its own or by interacting with any external authentication service such as Kerberos.

A callback is a mechanism by which a login module retrieves authentication parameter values needed for authentication from the Java application. The callback is implemented in a Java application to pass required parameters to the login module. It implements the javax.security.auth.callback interface.

The JAAS configuration file specifies:

• One or more authentication modules for an application
• The order in which authentication modules are invoked
• Other parameters and options

This is the interaction between an application, login module, and the JAAS configuration file:

1. The Java application program instantiates a login context that consults the JAAS configuration file to load all of the login modules configured for that application.
2. The login module requests the Java program to provide the user name and password using the JAAS callback mechanism.
3. The login module executes custom code to authenticate the user and set up the subject with valid principals and credentials if successfully authenticated.

The subject can then be used to gain access to controlled resources or to perform privileged actions.

Copyright © 2002 Sybase, Inc. All rights reserved.