Appendix C. JAAS Tutorial

The Java Authentication & Authorization Service (JAAS) enables an application to protect its resources by restricting access to only users with proper credentials and permissions. JAAS provides a layer of abstraction between an application and its underlying security mechanisms, making it easier to change security technologies and realms without impacting the rest of the system.


JAAS is a standard Java extension in J2SE 1.4, and it provides pluggable authentication that gives application designers a wide choice of security realms:

  • DBMS

  • Application Server

  • LDAP

  • Operating System (UNIX or Windows NT/2000)

  • File System

  • JNDI

  • Biometrics

JAAS supports single sign-on for an application. Rather than forcing the user to log in to a web site, and then log in again to a forum or a backend legacy system used by the application, JAAS coordinates all these steps into one central login event to help coordinate access to all systems that the user needs.

We chose JAAS as the basis for our authentication strategy because:

  • It provides a security context that covers the entire J2EE architecture from the web tier to the EJB tier.

  • It is application-server neutral.

  • It integrates with the Java 2 security model.

  • It is part of the J2SE 1.4 extension API.

  • It is more sophisticated than the other authentication mechanisms and provides more functionality.

  • It supports single sign-on by coordinating multiple security realms.

  • It addresses authorization in addition to authentication.

  • It provides good encapsulation ...

Get JBoss at Work: A Practical Guide now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.