9.4. JAASThe Java Authentication & Authorization Service (JAAS) enables an application to protect its resources by restricting access to only those users with proper credentials and permissions. JAAS provides a layer of abstraction between an application and its underlying security mechanisms, making it easier to change security technologies and realms without impacting the rest of the system. JAAS is a standard Java extension in J2SE 1.4, and provides pluggable authentication to give application designers a wide choice of security realms:
JAAS supports single sign-on for an application. Rather than forcing the user to log in to a web site, and then log in again to a forum or a backend legacy system used by the application, JAAS wraps all of this in one central login event to make it easier to coordinate access to all systems that the user needs. We chose JAAS as the basis for our security strategy because:
Although this isn't a JAAS book, we've added more detailed information on JAAS in Appendix CJAAS Tutorial. 9.4.1. LoginModuleThe LoginModule logs a user/Subject into a security realm based on their username and password. A LoginModule could interact with an operating system, a database, JNDI, LDAP, or a biometric device like a retinal scanner or touch pad. Application developers normally don't need to know very much about LoginModules because the LoginContext invokes them on behalf of an application. So your code never interacts with LoginModules. To add or remove a LoginModule used by your application, you need to modify only the LoginModule Configuration fileyour code remains unchanged. This indirection enables an application to be independent of the underlying security mechanisms used Although you could write your own LoginModule, it is usually unnecessary because of the abundance of quality third-party Open Source implementations available. You only need to know how to configure (in the LoginModule Configuration file) and deploy them for your particular runtime environment. If the Open Source LoginModule implementations don't provide all the functionality you need, you can either modify the code from that library or write your own LoginModule. Since this topic is outside the scope of this book, please see the JAAS LoginModule Developers' Guid e (http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASLMDevGuide.html) for further details. Here are some freely available LoginModules:
We could easily configure the Tagish, Sun, or JBoss LoginModules and use them with the JAW Motors application. We chose the JBoss LoginModules because they're already bundled with JBoss and we don't need to configure any third party JARs. Even though we're using LoginModule s provided by JBoss, the application code remains vendor-neutral because:
|