The Java Authentication and Authorization Service (JAAS) is a set of APIs that enable services to authenticate and enforce access controls upon users. It implements a Java technology version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization.
By using the JAAS API, applications can connect and authenticate against a JBoss server using a fairly simple set of steps. Originally introduced as an optional package to version 1.3 of the Java 2 SDK, JAAS has been integrated into the Java 2SDK, version 1.4.
A common JBoss application uses a DatabaseLoginModule for user authentication. Therefore, I use that module to demonstrate how a client can authenticate against the server and have its principal set properly.
During my initial work with JAAS, I did a lot of research to learn the best way to handle having a heavy client authenticate against a JBoss server. This research turned up a lot of JAAS references, but not much about actually how to use it in this situation. In my continued research, I discovered a large number of fragments, each describing how difficult this task is, and warning how many different hoops you must jump through to properly utilize JAAS.
After quite a few false starts, I finally got it working; but the implementation was less than ideal.
One common reoccurring theme surrounding JAAS use in this capacity is the necessity of executing everything through a Subject.doAs method. Subject is a class in the javax.security.auth package which represents a grouping of related information for a single entity, such as a person.
The last sentence is a quote from Sun's API Documentation
There is a strong belief, in some circles, that for your method calls to be properly authenticated, they need to be wrapped inside of a PrivilegedAction, and then executed via Subject's doAs method. As I detail below, fortunately this is not necessary at all.
The methods used to properly authenticate against a JBoss application server are fairly simple, once you pull away all of the unnecessary and ineffective code. At this time, I am not sure if accessing other application servers is as simple as this; but, based on my experience so far, I would not be surprised to find that they are also surrounded by a lot of false myths.