JAAS

JAAS protects the system from users by allowing or denying access based upon who or what runs the program. JAAS can simplify your Java security development by putting an abstraction layer between your application and disparate underlying authentication and authorization mechanisms. This independence from platforms and algorithms allows you to use different security mechanisms without modifying your application-level code. As with most Java security APIs, JAAS achieves this implementation-independence through an extensible framework of pluggable service provider interfaces (SPIs): a set of abstract classes and interfaces to which specific implementations are developed. JAAS can perform both authentication and authorization. Using JAAS authentication from your application typically involves the following steps:

Steps to create

ü  Create a LoginContext

ü  Optionally pass a CallbackHandler to the LoginContext, for gathering or processing authentication data

ü  Perform authentication by calling the LoginContext's login() method

ü  Perform privileged actions using the returned Subject (assuming login succeeds)   Underneath the covers, a few other things occur:

During initialization,

ü  the LoginContext finds the configuration entry "MyExample" in a JAAS configuration file (which you configured) to determine which LoginModules to load (see Figure 2)[JAAS.CONF]

ü  During login, the LoginContext calls each LoginModule's login() method

ü  Each login() method performs the authentication or enlists a CallbackHandler

The CallbackHandler uses one or more Callbacks to interact with the user and gather input

A new Subject instance is populated with authentication details such as Principals and credentials

FLOW OF EXECUTION: Any class that implements javax.security.auth.callback.CallbackHandler interface. javax.security.auth.callback.

CallbackHandler has only one method which we can use to provide a password for a given identifier. These passwords may be retrieved from a database, from a protected configuration file or the password callback handler may even delegate this functionality to some other component within the application like a user manager component, where the user management functionality is centralized.

--> -->