"This paper explains how to use the Java Authentication and Authorization API (JAAS). It plugs JAAS into the Struts framework. Though this paper focuses on Struts, and in particular the example application distributed with Struts, the lessons learned should be applicable to any MVC web framework."
"However, the article did not discuss, in detail, alternatives to using LDAP directly for Java Authentication and Authorization Service (JAAS) security, such as a Trust Association, one of the more popular system alternatives. Essentially, the power of JAAS is in its ability to use almost any underlying security system. One of those approaches is to use a Trust Association Interceptor (TAI) instead of direct LDAP access."
"J2EE application servers that implement JAAS provide enterprise application developers with the standard Login Module API for tapping custom or legacy security systems from their applications. While application developers write to the LoginModule API (specifically, the LoginContext API), the application server implements the LoginModule interface."
"Traditional Java security mechanisms didn't provide the infrastructure required to support traditional authentication and authorization; security in J2SE is based on public key cryptography and code signing. In other words, authentication was based on the idea that code is executing in the JVM and not a principal making a request for a resource. And authorization was based on the notion that the code attempts to use a computing resource. The Java Authentication and Authorization Service (JAAS) was designed to address these shortcomings."
"GSSAPI can be enhanced with the provision of a login interface by leveraging the login architecture of the Java Authentication and Authorization Service (JAAS). The JAAS login process is akin to the two-phase commit process used in transaction processing systems where participants prepare their transactions in the first phase and commit the transactions during the second phase only when all participants were successful in the first, prepare phase. They abort and rollback the transaction if one or more participants failed in the prepare phase."
"Unfortunately, the Java Authentication and Authorization Service (JAAS), which is part of the Java 2 platform, does not allow for class instance-level access control or special relationships. In this article, we will extend the JAAS framework to include both. The driving motivation behind this extension is to allow us to separate access control into a generalized framework that uses policies based on ownership and special relationships. These policies may then be changed by an administrator over the lifespan of an application."
"Suffice it to say that with the introduction of the J2EE Web application security architecture, we're reaping the rewards of nearly 10 years of trial and error, and it shows. The J2EE security framework consists of three APIs: the Java Authentication and Authorization Service (JAAS), Java Secure Socket Extension (JSSE), and Java Cryptography (JCE). While JCE is an interesting and important API, it's not quite so central to our interests as the "big three" of secure Web application development: authentication, authorization, and transport. So in this month's column we'll focus on the JAAS and JSSE."
