Skip to main content

JAAS Introduction

What is JAAS?

The Java Authentication and Authorization Service (JAAS) is a integrated package comes with Java 2 SDK. Basically JAAS is designed to achieve two things,

Authentication - determine who is executing the code
Authorization - ensure user/code has access control right to perform an action

 JAAS for Authentication

JAAS modules related to authentication are connected in a pluggable manner. So it promotes the reuse of underline authentication technology with different applications. Following are the key classes we use in authentication process.


LoginContext

This is the start point of the authentication process. This class contains 3 methods as,
  • login()  - authenticate user
  • logout() - logout user
  • getSubject() - get authenticated user
When we initiate a LoginContext, we provide required configurations to handle authentication. So we can change underlying authentication technology from the configuration without updating the application logic.

Configuration

This specifies the underline authentication technology which includes following,
  • Login Modules
  • Order of Login Modules
  • Flag values which decide the behavior(Required, Requisite, Sufficient, Optional)
  • Options which are consumed by Login Modules
Default implementation of Configuration is ConfigFile which loads the configurations from a file. We can set the configuration file via "-Djava.security.auth.login.config"" option.

LoginModule

This class contains the underline authentication mechanism. The interface LoginModule consists of 5 methods,
  • initialize() - LoginContext call this method to initialize the login module
  • login() - Authentication happens inside this method
  • commit() - After successful authentication user principal creation happens here
  • abort() - In case of failure, it handled here
  • logout() - Remove principal in case of logout

CallbackHandler

This class is responsible for collect and provide authentication information to the LoginModule. Same LoginModule may use different callback handlers to get credential from different sources. We can pass a CallbackHandler instance while creating a LoginContext.

Callback

Callback is the container which carries authentication information. LoginModule passes array of Callbacks to the CallbackHandler to get credentials.


Labels:

Comments

Post a Comment

Popular posts from this blog

UUID Generation with WSO2 ESB

There are use cases which we need to generate a UUID( universally unique identifier ) from the WSO2 ESB server for the back end services. There are two commonly used UUID types, Version 1 UUID or Time UUID A Version 1 UUID use a scheme relying only on timestamp and the MAC address of the computer on which it is generated Version 4 UUID Version 4 UUIDs use a scheme relying only on random numbers Getting a version 4 UUID is really easy in ESB, since we already have one in the message flow. So we can extract it like follows, <property name="MessageID" expression="fn:substring-after(get-property('MessageID'), 'urn:uuid:')"/> But in case of version 1 UUID or Time UUID, we have to use script mediator or class mediator to generate a UUID . Script mediator is slower compared to the class mediator.  A simple class mediator which can use for version 1 UUID generation can be found here . This class mediator uses this library to gene
Post a Comment
Read more

SAML2 IdP Initiated Single Logout with WSO2 Identity Server 5.1.0

With this feature WSO2 Identity Server facilitates IdP initiated SAML2 single log out requests. In the SAML service provider configuration UI here is a new configuration called “Enable IdP Initiated SLO”. You can enable this feature using this checkbox. Also you can define redirect URL after the single log out using "Return to URL" under “Enable IdP Initiated SLO” option. Following parameters can be used with IdP initiated SLO request. Parameter Description slo This is a mandatory parameter and must have the value “true” to mark the request as an IdP initiated log out request. spEntityID This is an optional parameter. Value of the parameter should be the SAML issuer name as in “Issuer” field in the SAML service provider configuration UI. returnTo This is an optional parameter. Value of the parameter should be the URL which needs to be redirected to, after the log out. If this parameter is present
Post a Comment
Read more

How to extract and import certificate from a SAML SP metadata file to a Keystore

Extract certificate from the SAML service provider metadata file as follows, <X509Data> <X509Certificate> MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5 HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo= </X509Certificate> </X509Data> Copy extracted certificate to
Post a Comment
Read more