Summary

Security products are based on keying mechanisms and authentication techniques in a variety of forms and different authentication mechanisms. The GSS-API provides a generic mechanism for defining authentication that is not bound by any specific network protocol or specific authentication mechanism. Kerberos is the most widely used authentication mechanism, but many more are supported such as SASL, which is an authentication mechanism used with LDAP servers. The GSS-API provides authentication, message confidentiality, and message integrity. JAAS, which is a pluggable authentication and authorization service that uses login modules, can work with the GSS-API to provide authentication and secure messages across different modes of communications, such as TCP/IP.

The GSS-API by definition is generic and uses OIDs to define the authentication mechanisms that it will use to authenticate. Standards and the service providers that the GSS-API will load when initializing define which OIDs are available. Since the OID is generic, code does not have to be changed when loading up a new authentication mechanism; only the OID needs to define a new mechanism and policy files for permission support. The GSS-API by itself is not an authentication mechanism. The GSS-API is simply an interface to use other authentication mechanisms such as Kerberos.

The GSS-API is not a transport mechanism like JSSE, because the GSS-API is not required to use sockets. The GSS-API is also not as pluggable as JAAS. It may require code changes for OIDs, and is not strictly used for authentication and authorization like JAAS because GSS-API is used for secure messaging. GSS-API is an interface and API mechanism for authentication, secure messaging, and key exchange that works with authentication mechanisms. GSS-API serves a different purpose than other Java APIs and provides secure functionality that is generic and can be extended to support many purposes such as secure messaging in the same machine.