9.1 Overview of JAAS and JAAS Terminology

Authentication and authorization are key elements in any secure information-handling system. Initially, much of the Java authentication and authorization focus was on downloadable code running in Web browsers. At that time, that focus was valid, as the client systems needed to be protected from mobile code obtained from arbitrary sites on the Internet. Once mobile code had been downloaded into a client system, it was necessary to authenticate and authorize the code to perform privileged operations, including networking and file I/O. Later, the Java language matured and supported RMI. One of the features of Java's RMI is the ability to dynamically download code, including the client-side stubs needed to call the remote code. This feature reinforced the need for authentication of mobile code. In evolving from a client-centric Web technology to a server-side scripting and integration technology, the Java platform required additional authentication and authorization mechanisms to be effective in the server arena.

Traditional computing systems perform authentication on a principal or other accountable entity, typically through a challenge/response mechanism. The most salient of these mechanisms is a user ID and password combination, often used for server or Web resources, such as HTTP basic authentication. However, the challenge may need to be more sophisticated. Variants include the encryption of information, the possession of a specific physical token ”for example, a physical key for a locking mechanism, or a fingerprint ”or the knowledge of specific information, such as the user's mother's maiden name or the value from a one-time keypad. The response must be valid, based on the type of the challenge.

Similarly, most enterprise computing systems base authorization on a subject and an object. Typically, the subject is an authenticated principal, and the object is a resource authorized for use by the principal. In UNIX and many other operating systems, a subject is a user ID or group ID, and the objects include file system entries, such as files and/or devices. In particular, the authenticated principal is most often associated with an operating system process, although on some systems, the granularity may be to the thread of execution (see Section 8.6 on page 267). When an attempt is made to access a protected resource, the operating system authorization mechanism verifies whether the currently executing subject is authorized for the object.

Prior to creation of JAAS, the Java authorization mechanisms did not contain the structure necessary to support traditional authentication and authorization. Authentication in J2SE was based on using public-key cryptography for digital signatures applied to the set of methods and classes executing in the Java runtime. Authorization was not based on the principal's making a request for computing or data resources. In practice, authorization was based on the code's attempting to use the computing or data resources. JAAS was designed specifically to address these shortcomings in a manner consistent with the existing J2SE security infrastructure. ^[2]

^[2] C. Lai, L. Gong, L. Koved, A. Nadalin, and R. Schemers. "User Authentication and Authorization in the Java ^TM Platform," Proceedings of the 15th Annual Computer Security Applications Conference . Phoenix, AZ. December 1999.

As previously described in this book, particularly in Chapter 3 on page 55, the authentication and authorization system is an integral part of the overall framework for enterprise Java security. Much of the security policy information is encoded in deployment descriptors ”XML documents that describe the application and its transaction/security attributes ”and managed by the J2EE containers. However, for completeness, we include this chapter on JAAS to enable you to better understand the mechanisms J2EE containers might use for authentication and authorization. You might also find this chapter useful when developing client code, servlets, or JSP files, for which you need to write authentication or authorization code or need to develop an application-specific fine-grained authorization scheme.

As its name implies, JAAS is divided into two major components : authentication and authorization . The authentication part of JAAS is designed around Pluggable Authentication Modules (PAMs), usable on both clients and servers. The authorization components are designed as an extension of the authorization mechanisms previously found in J2SE. In J2SE V1.4, the JAAS classes, shipped in the javax.security.auth package and its subpackages, are an integral part of the SDK and the JRE. Previously, in J2SE V1.3, JAAS was offered as a standard extension to the SDK and JRE. For the purposes of this chapter, we assume the J2SE V1.4 version of JAAS.

To authorize access to resources, applications first need to authenticate the source of the request. The JAAS framework uses the term subject to represent the source of a request. A subject may be any entity, such as a person or a service. A subject is represented by the javax.security.auth.Subject class.

Once authenticated, a Subject is associated with identities, or principals , which in JAAS are represented as java.security.Principal objects. A Subject may contain multiple Principal s. For example, a person may have a Principal name and a Principal Social Security Number (SSN), each of which distinguishes that Subject from other Subject s.

In addition to associated Principal s, a Subject may possess security- related attributes, or credentials. A credential is a user's identifying data. A credential may contain information used to authenticate the subject to other services. Such credentials include passwords, Kerberos tickets, and public-key certificates for signing data. Credentials might also contain data that simply enables the subject to perform specific activities. For example, cryptographic keys can enable the subject to sign or encrypt data. Any class, therefore, can represent a credential; for this reason, credential classes do not have to be part of the JAAS API.