Java Authentication and Authorization Service
The standard Java 2 security (API) helps enforce access control based on the location of the code source or the author or packager of the code that signed the jar file. The current principal of the running thread is not considered in the Java 2 security authorization. Instances where authorization is based on the principal, as opposed to the code base, and the user exist. The Java Authentication and Authorization Service is a standard Java API that supports the Java 2 security authorization to extend the code base on the principal as well as the code base and users.
The JAAS Version 1.0 extends the Java 2 security architecture of the Java 2 platform with additional support to authenticate and enforce access control with principals and users. JAAS implements a Java version of the standard Pluggable Authentication Module (PAM) framework, and extends the access control architecture of the Java 2 platform in a compatible fashion to support user-based authorization or principal-based authorization. WAS fully supports the JAAS architecture. JAAS extends the access control architecture to support role-based authorization for Java EE resources including servlets, JSP files, and EJB components.
Refer to Java 2 security for more information.
The following sections cover the JAAS implementation and programming model:
The JAAS documentation can be found at http://www.ibm.com/developerworks/java/jdk/security. Scroll down to find the JAAS documentation for the platform.
Subtopics
- Java Authentication and Authorization Service authorization
Java 2 security architecture uses a security policy to specify which access rights are granted to running code. This architecture is code-centric. The permissions are granted based on code characteristics including where the code is coming from, whether it is digitally signed, and by whom. Authorization of the JAAS augments the existing code-centric access controls with new user-centric access controls. Permissions are granted based on what code is running and who is running it.
Related concepts
Authorization technology