• Authentication is used to verify whether the user is eligible to access the application
  • JAAS enables plugging of various authentication modules at runtime
  • The client application interacts with JAAS through the LoginContext object
  • Authentication in JAAS can be implemented using the following set of modules as represented in the diagram
    – LoginContext
    – LoginModule
    – CallbackHandler

Authentication Steps in JAAS

  • The initial step is to create a LoginContext object. The LoginContext object checks with the configuration file to identify which LoginModule is to be loaded. Optionally, a CallbackHandler can be passed to the LoginContext
  • Login method from LoginContext is called to implement authentication. This process loads the predefined LoginModule to verify if the user can be authenticated
  • Integrate credentials and principals with the subject for successful logins
  • In case of login failure, throw a LoginException
  • To log out from application, make use of logout function from LoginContext

Authorization in JAAS

  • Authorization of an user is used to identify whether the (authenticated) user is eligible to perform certain functionalities in the application like accessing a resource
  • Since JAAS is developed on the existing Java security model, the process of authorization is policy-based
  • The policy configuration file consists of a list of entries like “keystore" and “grant"
  • The grant entry provides with the permissions granted for the authenticated codes or principals to perform the security-sensitive operations
  • JAAS also supports principal-based policy entry
  • Permissions are granted in policy with regard to specific principals

The basic format of a grant entry looks as:

Authorization in JAAS (cont’d)

  • The Policy object in JAAS indicates the system security policy for a Java application environment
  • Once the authentication of user is done, the authorization takes place through the Subject.doAs function or doAsPrivileged
  • The doAs function dynamically combines the Subject with the current AccessControlContext and then triggers the run method to execute the security checks

Access Manager Policy Framework

Authorization Steps in JAAS

  1. The initial step is to invoke Subject.doAs or doAsPrivileged
  2. Check the permission by calling SecurityManager.checkPermission or other check methods
  3. The SecurityManager redirects the check to the AccessController
  4. The AccessController checks whether the relevant AccessControlContext includes all the permissions required for the action to be performed
  5. AccessControlContext is updated by the SecurityManager with the permission policies given to the Subject