Home > Articles > Programming > Java

Using JAAS Authentication with JBoss

📄 Contents

  1. Common Misconceptions
  2. Logging In
  3. Logging Out
  • Print
  • + Share This
The Java Authentication and Authorization Service (JAAS) allows a standard way for applications to handle authentication. However, although JBoss uses the JAAS API extensively, there's little documentation to explain how to handle JAAS Authentication when connecting to Jboss, other than via servlets. This article shows you how to connect to an EJB application running in JBoss from a non-servlet client. And in doing so, Marcus Zarra debunks several JAAS myths. It's much easier to use than you thought!
Like this article? We recommend

The Java Authentication and Authorization Service (JAAS) is a set of APIs that enable services to authenticate and enforce access controls upon users. It implements a Java technology version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization.

By using the JAAS API, applications can connect and authenticate against a JBoss server using a fairly simple set of steps. Originally introduced as an optional package to version 1.3 of the Java 2 SDK, JAAS has been integrated into the Java 2SDK, version 1.4.

A common JBoss application uses a DatabaseLoginModule for user authentication. Therefore, I use that module to demonstrate how a client can authenticate against the server and have its principal set properly.

Common Misconceptions

During my initial work with JAAS, I did a lot of research to learn the best way to handle having a heavy client authenticate against a JBoss server. This research turned up a lot of JAAS references, but not much about actually how to use it in this situation. In my continued research, I discovered a large number of fragments, each describing how difficult this task is, and warning how many different hoops you must jump through to properly utilize JAAS.

After quite a few false starts, I finally got it working; but the implementation was less than ideal.

One common reoccurring theme surrounding JAAS use in this capacity is the necessity of executing everything through a Subject.doAs method. Subject is a class in the javax.security.auth package which represents a grouping of related information for a single entity, such as a person.

The last sentence is a quote from Sun's API Documentation

There is a strong belief, in some circles, that for your method calls to be properly authenticated, they need to be wrapped inside of a PrivilegedAction, and then executed via Subject's doAs method. As I detail below, fortunately this is not necessary at all.

The methods used to properly authenticate against a JBoss application server are fairly simple, once you pull away all of the unnecessary and ineffective code. At this time, I am not sure if accessing other application servers is as simple as this; but, based on my experience so far, I would not be surprised to find that they are also surrounded by a lot of false myths.

  • + Share This
  • 🔖 Save To Your Account