What is JAAS?

Alex Chaffee

From http://java.sun.com/products/jaas/:


The Java Authentication and Authorization Service (JAAS) is a Java package that enables services to authenticate and enforce access controls upon users. It implements a Java version of the standard Pluggable Authentication Module (PAM) framework, and extends the access control architecture of the Java 2 Platform in a compatible fashion to support user-based authorization.

Why Use JAAS?

The latest release of the Java 2 Software Development Kit, v 1.3 provides a means to enforce access controls based on where code came from and who signed it. The need for such access controls derives from the distributed nature of the Java platform, where, for instance, a remote applet may be downloaded over a public network and then run locally.

The Java 2 platform, however, lacks the means to enforce similar access controls based on who runs the code. To provide this type of access control, the Java 2 security architecture requires additional support for authentication (determining who's actually running the code), and extensions to the existing authorization components to enforce new access controls based on who was authenticated. The Java Authentication and Authorization Service (JAAS) framework augments the Java 2 platform with such support.

Important Features

  • Pure Java implementation.
  • Pluggable Authentication Module (PAM) framework implementation for authenticating users.
  • Single sign-on support.
  • Flexible access control policy for user-based, group-based, and role-based authorization.
  • Sample authentication modules using:
    • Java Naming and Directory Interface (JNDI)
    • Solaris Operating Environment
    • Windows NT

However, I don't know the answer to certain questions like: How well is it integrated into J2EE? What products support it? Can I use it with Servlets or EJB? Please submit feedback or new FAQ questions if you know more...