Java Authentication Explained (using JAAS)

Posted April 22, 2009
Filed under: software | Tags: , , |

Getting back to blogging after a long long time !!

There is enough literature about Java Authentication and Authorization Service (JAAS)  and most application servers have rich support for different types of authentication. But what really happens under the covers ? And there is no better way to find out than writing a custom login module to authenticate an user using JAAS.

All the sample code discussed in this blog can be viewed at the Google Code project –DalalStreet.

The first step is to define a jaas.conf and this is how the file looks :

DalalStreet {
org.ds.auth.DSLoginModule required;
};

where org.ds.auth.DSLoginModule is the custom login module that contains the code to handle the customized authentication. The login module implements the following methods :
– initialize (gets the callback handler – to get usernames/passwords, etc.)
– login (self-explanatory and the most important method)
– commit (called when login succeeds)
– abort (called when login or commit fails)
– logout

The rest is explained in the short video – less than 10 minutes – below (the video shows a debugging session, so if you want to clearly see the lines of the code, breakpoints, variable values, etc. then it is best viewed in HD mode).

What we have discussed above is a very simple example, and I am sure you could have written code to capture/request the username/password from the user and written code to validate it against a well known set of usernames and password (e.g in a database). So what is it that makes JAAS so special ?

– The most important advantage of using JAAS is that you can switch the login modules (i.e. swap the implementation class) without any code changes. That means if your LoginModule implementation currently authenticates a user via TACACS and tomorrow it has to use LDAP, you just have to write a class that handles the LDAP authentication and modify the jaas.conf to contain the new implementation class and you really don’t have to change a single line of code in your application (it is really that simple).
– even the callback handler can be configured (e.g. by a simple property or Spring) and you can decide to change how you request your user’s credentials.

So hopefully you found this post (and the video) useful/helpful. Here are the links to the files in case you want to take a detailed look at the code.
org.ds.auth package (where most of the files are located)

resources folder (where jaas.conf is located)

org.ds.util

No comments yet

Leave a comment

Design a site like this with WordPress.com
Get started