The Java Authentication and Authorization Service (JAAS) provides a framework and standard programming interface for authenticating users and assigning privileges. JAAS is based on the Pluggable Authentication Module (PAM) standard, which extends the access-control architecture of the Java 2 platform to support user-based authentication and authorization.
JAAS support is provided in EAServer as an alternative authentication mechanism. EAServer supports user-name and password-based JAAS authentication. The code-level authorization component of JAAS is not supported in this version of EAServer.
EAServer 6.0 does not support the use of JAAS in clients. The security principal and credentials for EJB or JMS InitialContext are used exclusively. EAServer 6.0 support for JAAS with EJB, JMS and Web clients is limited to the JAAS loginMethod method for a security domain. See “Login methods” for more information.
See the Java software Web site http://www.java.sun.com/products/jaas/ for more information about JAAS.
There are several new terms that are used throughout this chapter:
Principal represents a user identity that is used to gain access to a computing service. Typically, a user’s login name or public key.
Credentials represents a security attribute of a principal. Typically, a user's password or public-key certificate. The credential is set in the subject when a principal is authenticated successfully.
Subject is an entity that has one or more principals and corresponding security attributes.
A login context is a JAAS framework for developing applications independent of underlying authentication technology.
A login module is an authentication module that can be plugged in under a Java application using JAAS framework. The module implements the JAAS javax.security.auth.spi.LoginModule interface. It performs any authentication either on its own or by interacting with any external authentication service such as Kerberos.
A callback is a mechanism by which a login module retrieves authentication parameter values needed for authentication from the Java application. The callback is implemented in a Java application to pass required parameters to the login module. It implements the javax.security.auth.callback interface.
The JAAS configuration file ($EAServer/config/eas_jaas.cfg) specifies:
One or more authentication modules for an application
The order in which authentication modules are invoked
Other parameters and options
This is the interaction between an application, login module, and the JAAS configuration file:
The Java application program instantiates a login context that consults the JAAS configuration file to load all of the login modules configured for that application.
The login module requests the Java program to provide the user name and password using the JAAS callback mechanism.
The login module executes custom code to authenticate the user and set up the subject with valid principals and credentials if successfully authenticated.
The subject can then be used to gain access to controlled resources or to perform privileged actions.
