Section 9.4. JAAS

9.4. JAAS

The Java Authentication & Authorization Service (JAAS) enables an application to protect its resources by restricting access to only those users with proper credentials and permissions. JAAS provides a layer of abstraction between an application and its underlying security mechanisms, making it easier to change security technologies and realms without impacting the rest of the system. JAAS is a standard Java extension in J2SE 1.4, and provides pluggable authentication to give application designers a wide choice of security realms:

  • DBMS

  • Application Server

  • LDAP

  • Operating System (UNIX or Windows NT/2000)

  • File System

  • JNDI

  • Biometrics

JAAS supports single sign-on for an application. Rather than forcing the user to log in to a web site, and then log in again to a forum or a backend legacy system used by the application, JAAS wraps all of this in one central login event to make it easier to coordinate access to all systems that the user needs. We chose JAAS as the basis for our security strategy because:

  • It provides a security context that covers the entire J2EE architecture from the web tier to the EJB tier.

  • It is application server neutral.

  • It integrates with the Java 2 security model.

  • It is part of the J2SE 1.4 extension API.

  • It is more sophisticated than the other authentication mechanisms and provides more functionality.

  • It supports single sign-on by coordinating multiple security realms.

  • It addresses authorization in addition to authentication.

  • It provides good encapsulation for authentication and authorization, enabling an application to be independent of the underlying security mechanisms used.

  • JBoss bases its security mechanism on JAAS.

Although this isn't a JAAS book, we've added more detailed information on JAAS in Appendix CJAAS Tutorial.

9.4.1. LoginModule

The LoginModule logs a user/Subject into a security realm based on their username and password. A LoginModule could interact with an operating system, a database, JNDI, LDAP, or a biometric device like a retinal scanner or touch pad. Application developers normally don't need to know very much about LoginModules because the LoginContext invokes them on behalf of an application. So your code never interacts with LoginModules. To add or remove a LoginModule used by your application, you need to modify only the LoginModule Configuration fileyour code remains unchanged. This indirection enables an application to be independent of the underlying security mechanisms used

Although you could write your own LoginModule, it is usually unnecessary because of the abundance of quality third-party Open Source implementations available. You only need to know how to configure (in the LoginModule Configuration file) and deploy them for your particular runtime environment. If the Open Source LoginModule implementations don't provide all the functionality you need, you can either modify the code from that library or write your own LoginModule. Since this topic is outside the scope of this book, please see the JAAS LoginModule Developers' Guid e ( for further details. Here are some freely available LoginModules:


Tagish has a set of Open Source JAAS LoginModules released under the GNU LGPL (Lesser GNU Public License) that can be found at The Tagish collection has the following LoginModules:

  • DBMS

  • File System

  • Windows NT/2000 domain

Sun Microsystems

Sun bundles several LoginModules with J2SE 1.4. However, they are in the package and not officially part of J2SE 1.4 because they're Sun's implementation of the JAAS interfaces. Sun provides the following LoginModules:

  • Kerberos

  • Key Store

  • JNDI

  • Windows NT

  • UNIX


JBoss provides several LoginModules with its distribution, including:

  • DBMS

  • File-based

  • Key Store

  • LDAP

  • External Client

We could easily configure the Tagish, Sun, or JBoss LoginModules and use them with the JAW Motors application. We chose the JBoss LoginModules because they're already bundled with JBoss and we don't need to configure any third party JARs. Even though we're using LoginModule s provided by JBoss, the application code remains vendor-neutral because:

  • The LoginModules are configured in an external configuration file.

  • The application code doesn't change if you use different LoginModules.

JBoss at Work. A Practical Guide
JBoss at Work: A Practical Guide
ISBN: 0596007345
EAN: 2147483647
Year: 2004
Pages: 197

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: