Java Authentication and Authorization Service

Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is a Java security framework for user-centric security to augment the Java code-based security. Since Java Runtime Environment 1.4 JAAS has been integrated with the JRE - previously JAAS was supplied as an extension library by Sun.

JAAS's main goal is to separate the concerns of user authentication so that they may be managed independently. JAAS introduces a new term to the security architecture of the Java platform as an additional layer for the verification. While the former authentication mechanism contained information about where the code originated from and who is the signer of the code snippet, the latter platform adds a marker about who runs the code. By extending the verification vectors JAAS extends the security architecture for Java applications that require authentication and authorization modules.

Contents 1 Administration 2 Application interface 3 Security system integration 4 See also 5 External links

Administration

For the system administrator, JAAS consists of two kinds of configuration file:

• *.login.conf: specifies how to plug vendor-supplied login modules into particular applications
• *.policy: specifies which identities (users or programs) are granted which permissions

For example, an application may have this login.conf file indicating how different authentication mechanisms are to be run to authenticate the user:

   PetShopApplication {
      com.sun.security.auth.module.LdapLoginModule sufficient;
      com.foo.SmartcardLoginModule                 requisite;
      com.sun.security.auth.module.UnixLoginModule required debug=true;
   };

Application interface

For the application developer, JAAS is a standard library that provides:

• a representation of identity (Principal) and a set of credentials (Subject)
• a login service that will invoke your application callbacks to ask the user things like username and password. It returns a new Subject
• a service that tests if a Subject was granted a permission by an administrator.

Security system integration

For the security system integrator, JAAS provides interfaces:

• to provide your identity namespace to applications
• to attach credentials to threads (Subject)
• for developing login modules. Your module invokes callbacks to query the user, checks their response and generates a Subject.

See also

• PAM
• Apache Shiro
• Enterprise_JavaBean#Security
• Keystore

External links

• JAAS home page
• JAAS Tutorial
• jGuard : open source project which can secure standalone or web applications based on JAAS
• All that JAAS - Java World

Authentication APIs Common Data Security Architecture (CDSA) Generic Security Service API (GSSAPI) Java Authentication and Authorization Service (JAAS) Novell Modular Authentication Service (NMAS) Pluggable Authentication Modules (PAM) Security Support Provider Interface (SSPI) XCert Universal Database API (XUDA)