Home > Articles > Security > General Security and Privacy

  • Print
  • + Share This
Like this article? We recommend

Logging In

JAAS authentication is performed in a pluggable fashion. This permits Java applications to remain independent from underlying authentication technologies. New or updated technologies can be plugged in without requiring modifications to the application itself.

In this example, I use a simple username and password authentication scheme to authenticate against the JBoss Application Server. As is detailed in other documentation, A JAAS client requires a LoginContext and that Context requires a handler. The expectation behind the handler is that it "handles" getting the authentication information from the user, either via a GUI or some other venue.

Here, I use the UsernamePasswordHandler provided by JBoss to programmatically pass the credentials to the LoginContext. The LoginContext then tests this handler against the modules it is configured against, to verify that the user is allowed to log in. Once this login method is passed, the code is then free to execute actions in the role of that logged-in user. The steps involved in this authentication are detailed in the example below:

       UsernamePasswordHandler handler = null;
       handler = new UsernamePasswordHandler(username, password);
       LoginContext lc = new LoginContext("example", handler);

First, the code sets the java.security.auth.login.config System property and points that property to a URL. The URL references a jaas.config file stored on the server, which defines what modules should be used to authenticate the user.

The jaas.config file is as follows:

   example {  org.jboss.security.ClientLoginModule required;};

Using this module for this example, the user will always pass the login method successfully. The module merely binds the username and password to the JBoss EJB invocation layer for later authentication on the server. Once the login is successful, the user can then create an InitialContext and access objects on the server.

Note that in this environment, the authentication of the user does not occur until the first method requiring authentication on the server is used. For instance, let's say that the server has a stateful session bean through whichthe user processes all requests, and that that bean has defined that only users in the role of "External" may create that bean. Then, as soon as the user attempts to call create on the bean's home interface, the user is authenticated in the security environment for that bean. If the user fails the authentication, a java.rmi.AccessException is thrown on the client.

  • + Share This
  • 🔖 Save To Your Account