http://70.231.62.181/index.php?action=history&feed=atom&title=Java_Authentication_and_Authorization_ServiceJava Authentication and Authorization Service - Revision history2026-04-23T07:43:29ZRevision history for this page on the wikiMediaWiki 1.45.1http://70.231.62.181/index.php?title=Java_Authentication_and_Authorization_Service&diff=2463874&oldid=previmported>Dujo: Move external link to reference2025-08-14T21:50:43Z<p>Move external link to reference</p>
<p><b>New page</b></p><div>{{Short description|Java implementation of Pluggable Authentication Module}}<br />
{{Refimprove|date=November 2024}}<br />
<br />
<br />
'''Java Authentication and Authorization Service''', or '''JAAS''', pronounced "Jazz",<ref name="guide">{{Cite book |title = Java and internet security |url = https://books.google.com/books?id=JY7c3AIIXqMC |author1= Theodore J. Shrader |author2= Bruce A. Rich |author3= Anthony J. Nadalin |year = 2000|page = 152| publisher=iUniverse |isbn = 9780595135004}}</ref> is the [[Java (programming language)|Java]] implementation of the standard [[Pluggable Authentication Module]] (PAM) [[information security]] framework.<ref>{{cite web<br />
|url= http://download.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html<br />
|title= Java Authentication and Authorization Service (JAAS) Reference Guide<br />
|work= oracle.com<br />
|publisher= [[Oracle Corporation]]<br />
|access-date= 22 May 2012<br />
|archive-url= https://web.archive.org/web/20120606055808/http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html<br />
|archive-date= 6 June 2012<br />
|url-status= dead<br />
}}</ref><br />
JAAS was introduced as an extension library to the [[Java Platform, Standard Edition]] 1.3 and was integrated in version 1.4.<ref name="guide" /><br />
<br />
JAAS has as its main goal the [[separation of concerns]] of user authentication so that they may be managed independently. While the former [[authentication]] mechanism contained information about where the code originated from and who signed that code, JAAS adds a marker about who runs the code. By extending the verification vectors JAAS extends the security architecture for Java applications that require authentication and [[authorization]] modules.<br />
<br />
== Administration ==<br />
For the [[system administrator]], JAAS consists of two kinds of [[configuration file]]:<br />
*<code>*.login.conf</code>: specifies how to plug vendor-supplied [[login]] modules into particular applications<br />
*<code>*.policy</code>: specifies which identities (users or programs) are granted which permissions<br />
<br />
For example, an application may have this {{mono|login.conf}} file indicating how different authentication mechanisms are to be run to authenticate the user:<br />
<br />
PetShopApplication {<br />
com.sun.security.auth.module.LdapLoginModule sufficient;<br />
com.foo.SmartcardLoginModule requisite;<br />
com.sun.security.auth.module.UnixLoginModule required debug=true;<br />
}<br />
<br />
== Application interface ==<br />
<br />
For the application developer, JAAS is a standard library that provides:<br />
* a representation of identity (''[[Principal (computer security)|Principal]]'') and a set of credentials (''[[Subject (access control)#Computer security|Subject]]'')<br />
* a [[login]] service that will invoke your application [[Callback (computer programming)|callbacks]] to ask the user things like username and [[password]]. It returns a new ''Subject''<br />
* a service that tests if a Subject was granted a permission by an administrator.<br />
<br />
== Security system integration ==<br />
<br />
For the security system integrator, JAAS provides interfaces:<br />
* to provide your identity namespace to applications<br />
* to attach credentials to threads (''Subject'')<br />
* for developing [[login]] modules. Your module invokes [[Callback (computer programming)|callbacks]] to query the user, checks their response and generates a ''Subject''.<br />
<br />
== Login Modules ==<br />
Login modules are primarily concerned with authentication rather than authorization and form a widely used component of JAAS.<ref>{{Cite journal|url=https://javaranch.com/journal/2008/04/Journal200804.jsp#a6|title=JAAS Tutorial|first1=Rahul|last1=Bhattacharjee|date=April 2008|volume=7|issue=1|website=javaranch.com}}</ref> A login module is required to implement the <code>javax.security.auth.spi.LoginModule</code> interface, which specifies the following methods:<br />
<br />
Note: A <code>Subject</code> is the user that is attempting to log in.<br />
<br />
*'''initialize:''' Code to initialize the login module, usually by storing the parameters passed into appropriate fields of the <code>Class</code>.<br />
*'''login:''' Actually check the credentials provided via an <code>Object</code> that implements the <code>javax.security.auth.Callback</code> interface (e.g. check against a database). This method could prompt the user for their login and password or it could use details previously obtained. It is important to note here that, if invalid credentials are supplied then a <code>javax.security.auth.login.FailedLoginException</code> should be thrown (rather than returning false, which indicates that this login module should be ignored, which potentially allows authentication to succeed).<br />
*'''commit:''' The identity of the subject has been verified, so code in this method sets up the <code>Principal</code> and <code>Groups</code> (roles) for the successfully authenticated subject. This method has to be written carefully in enterprise applications as Java EE application servers often expect the relationships between the <code>Principal</code> and <code>Group</code> objects to be set up in a certain way. This method should throw a <code>javax.security.auth.login.FailedLoginException</code> if authentication fails (e.g. a user has specified an incorrect login or password).<br />
*'''abort:''' Called if the authentication process itself fails. If this method returns false, then this Login Module is ignored.<br />
*'''logout:''' Code that should be executed upon logout (e.g. could remove the <code>Principal</code> from the <code>Subject</code> or could invalidate a web session).<br />
<br />
Login modules can provide single sign on (SSO) via a particular SSO protocol/framework (e.g. [[SAML]], [[OpenID]], and [[SPNEGO]]), can check for the presence of hardware security tokens (e.g. USB token), etc. In an n-tier application, <code>LoginModules</code> can be present on both the client side and server side.<br />
<br />
=== LoginModule (<code>javax.security.auth.spi.LoginModule</code>) ===<br />
Login modules are written by implementing this interface; they contain the actual code for authentication. It can use various mechanisms to authenticate user credentials. The code could retrieve a password from a database and compare it to the password supplied to the module.<br />
<br />
=== LoginContext (<code>javax.security.auth.login.LoginContext</code>) ===<br />
The login context is the core of the JAAS framework which kicks off the authentication process by creating a Subject. As the authentication process proceeds, the subject is populated with various principals and credentials for further processing.<br />
<br />
=== Subject (<code>javax.security.auth.Subject</code>) ===<br />
A subject represents a single user, entity or system –in other words, a client– requesting authentication.<br />
<br />
=== Principal (<code>java.security.Principal</code>) ===<br />
A principal represents the face of a subject. It encapsulates features or properties of a subject. A subject can contain multiple principals.<br />
<br />
=== Credentials ===<br />
Credentials are nothing but pieces of information regarding the subject in consideration. They might be account numbers, passwords, certificates etc. As the credential represents some important information, the further interfaces might be useful for creating a proper and secure credential – <code>javax.security.auth.Destroyable</code> and <code>javax.security.auth.Refreshable</code>. Suppose that after the successful authentication of the user you populate the subject with a secret ID (in the form of a credential) with which the subject can execute some critical services, but the credential should be removed after a specific time. In that case, one might want to implement the <code>Destroyable</code> interface. <code>Refreshable</code> might be useful if a credential has only a limited timespan in which it is valid.<br />
<br />
== See also ==<br />
* [[Apache Shiro]]<br />
* [[Keystore]]<br />
* [http://oaccframework.org OACC]<br />
<br />
==References==<br />
{{Reflist}}<br />
<br />
==External links==<br />
* [http://jguard.xwiki.com/ jGuard : open source project which can secure standalone or web applications based on JAAS] {{Webarchive|url=https://web.archive.org/web/20081202041403/http://jguard.xwiki.com/ |date=2008-12-02 }}<br />
* {{cite web |last1=Musser |first1=John |last2=Feuer |first2=Paul |date=2002-09-23 |df=mdy |url=https://www.infoworld.com/article/2074873/all-that-jaas.html |title=All that JAAS |work=[[JavaWorld]] |access-date=2020-07-20}}<br />
* [https://spnego.sourceforge.net/ SPNEGO Library - open source GNU LGPL project that relies on the JAAS framework to simplify Authentication and Authorization]<br />
<br />
{{Authentication APIs}}<br />
<br />
[[Category:Java APIs]]<br />
[[Category:Computer access control]]</div>imported>Dujo