Java Authentication and Authorization (JAAS)

• Java Authentication and Authorization Service is used for both authentication and authorization of users
• For every Java (J2EE) application, authentication and access control are considered as important security measures
• Using JAAS, a security standard can be implemented for all Java applications
• JAAS provides a pluggable and flexible framework that enables developers to implement various security mechanisms and security sources
• Authentication in JAAS determines the user who is currently executing the Java code, regardless of the environment (an application, servlet, applet, etc.)
• Authorization in JAAS determines the control rights of the user that is required to perform specified actions
• Pluggable Authentication Modules (PAM) are implemented in JAAS for the purpose of authentication in JAAS
• JAAS was integrated in J2EE (Java 2 Enterprise Edition) and JDK 1.4

JAAS Features

• JAAS is implemented using pure Java
• Authentication of users is done through PAM framework
• JAAS supports single sign-on for login authentication in J2EE applications
• JAAS provides centralized role-based control that includes hierarchical roles
• JAAS provides access control policies for user-based, group-based, and role-based authorization

JAAS Architecture

• The application layer initially deals with LoginContext
• Next to LoginContext are one or more LoginModules that are dynamically configured
• These LoginModules make use of appropriate security infrastructure to achieve authentication
• JAAS also provides reference LoginModule implementations such as JndiLoginModule
• JAAS is stackable in addition to being pluggable
• Single login implementation works through ordered security module stacks, featured one over the other, interacting with the Java architecture