The standard Java 2 security application programming interface (API) helps enforce access control-based on the location of the code and the user. The current principal of the running thread is not considered in the Java 2 security authorization. Instances where authorization is based on the principal, as opposed to the code base, and the user exist. The Java Authentication and Authorization Service is a standard Java API that supports the Java 2 security authorization to extend the code base on the principal as well as the code base and users.
The Java Authentication and Authorization Service (JAAS) Version 1.0 extends the Java 2 security architecture of the Java 2 platform with additional support to authenticate and enforce access control with principals and users. JAAS implements a Java version of the standard Pluggable Authentication Module (PAM) framework, and extends the access control architecture of the Java 2 platform in a compatible fashion to support user-based authorization or principal-based authorization. WebSphere Application Server fully supports the JAAS architecture. JAAS extends the access control architecture to support role-based authorization for Java 2 Platform, Enterprise Edition (J2EE) resources including servlets, JavaServer Pages (JSP) files, and EJB components. Refer to Java 2 security for more information. The following sections cover the JAAS implementation and programming model:
The JAAS documentation can be found at http://www.ibm.com/developerworks/java/jdk/security*. Scroll down to find the JAAS documentation for your platform.
Related concepts
Programmatic login
Authorization technology
Related reference
Login configuration for Java Authentication and Authorization Service