Chapter 9. Authentication and Authorization with JAAS

Enterprise authentication and authorization requirements can be fairly complex. To make matters worse , all applications or solutions in a given deployment environment may not originate from the same vendor. In addition, these applications may run on different operating systems. The Java language is the language of choice for portability between platforms, and it needs to integrate its authentication and authorization services with those of the containing environment. This chapter explains how the Java Authentication and Authorization Service accomplishes this integration and how it can be used. ^[1]

^[1] This chapter is based on the Java 2 SDK V1.4 JAAS.

In J2EE security, the focus is on the declarative approach to maximize code portability, flexibility, and reusability. As enterprises evolve , their security requirements change. When applications contain code embodying security policies, it is much more difficult for an enterprise to change those security policies as new circumstances and threats arise.

There are limits to what security policies can be expressed using the declarative aspects of the J2EE security model. As such, this chapter introduces some additional mechanisms that applications can use to refine security policies. We start by explaining JAAS and then discuss the limitations on the use of JAAS from within J2EE applications, particularly from within servlet and EJB containers.