JAAS
Overview: Security is one of the main aspects in web applications. So the success of web application depends on the security implementation also. And for mission critical applications, security aspect has to be implemented and tested before it goes into production. Earlier days, security aspects were simple enough and developers code them following simple rules and validations. But nowadays more care has to be taken to make it a secure application. In this article we will discuss different security aspects and their implementation details.
Introduction: Java authentication and authorization service (JAAS) is a revolution in security domain. This is widely accepted in all java and J2EE enterprise applications. JAAS is basically a java based authentication and authorization API. The API exposes a set of interfaces and configuration for application use. Using these features, any web application can be secured and make production ready. But the use of JAAS or any custom module depends upon the application requirement.
Description: Before we discuss the details, we must know about the containers. A container can be defined as an environment (software environment) in which an application runs. Apart from running applications, container also has different other functionalities but we will discuss those in a separate article. The term ‘container’ is synonymous with a J2EE application server. It is also know as J2EE container. So the next question is, why do we need a container? Basically container provides all necessary services required to run the application smoothly and function properly. There are a number of J2EE containers available in the market and they provide different levels of support. But the container must follow the J2EE specification, may be partially or completely. Like tomcat is a web container, which only implements the servlet portion of the J2EE specification. Where as weblogic, websphere, JBoss are complete application server as they followed the complete J2EE specification.
Application Security: In this article we will mainly concentrate on application security. Before we move forward, we should have a clear understanding about the application security. Application security can be defined as a security mechanism implemented by the application itself to make it secure. The application can also take the help of a framework or application server features to implement it successfully. After implementing the security the application becomes secure from its users. If we consider from application perspective, then it is the responsibility of the developer to follow proper steps and decide on the security implementation details. There are many other types of security implementations also like network security, JVM security, application server security and many more. But our scope of discussion is limited to application security side only. Our focus in this discussion will be specifically on J2EE security features and its users. The access, authentication and authorization will be a part of application security implementation. The java feature JAAS will take care of all these issues.
Application Security Functions: As we are discussing the application security, we will first take a look at the following five main functions which are generally considered during the implementation.
- Authentication (Used to authenticate the user)
- Authorization (Check what logged in user can do)
- Registration (Register new user)
- Account maintenance (Which includes creating, updating etc)
- Account delete or inactivate (This is for user removal)
In general all applications do not follow all the above points. They might implement a sub set of the functions OR they might select some of them as per their need. But these are the basic fundamental functions which need to be considered during application security implementation.
JAAS Authentication: Java Authentication and Authorization Service (JAAS) is a standard framework for authenticating any users of any application. The application can be an enterprise application, web application or any standalone application. The most important part is the configuration files used in JAAS framework. The configuration file specifies the implementation of a set of standard interfaces and these are called to authenticate the user. In JAAS framework, the credential realization and its authentication happens inside the implementation of those standard JAAS interfaces. It includes the following interfaces.
- Callback interface
- CallbackHandler
- LoginModule
The functions of Callback interfaces are to retrieve the user credentials and the function of LoginModule is to verify user’s credentials and allow it to login or redirect to login failed message page.
The implementation of JAAS is different for standalone and other applications. In a typical standalone application, the Callback handler interface retrieves the credentials and LoginModule interface authenticate the credentials. And the user details are generally stored in a persistent store like database, local file system or LDAP directory. But when the application is deployed in a container then the mechanism is a bit different. The JAAS framework must communicate with the container to get its services related to authentication and authorization. The JAAS LoginModule is written with the use of container specific APIs. The container specific APIs are responsible for authenticate credentials. The container specific APIs perform the following two tasks
- Credential Realization
- Credential Authentication
The JAAS framework communicates with the container specific APIs with a single method call and passes the user details. After that the rest of the work is performed by the container. But this implementation varies from one container to another.
We must understand that JAAS is a framework which supports authentication and authorization mechanism. There are lot of other frameworks which does this automatically. But in JAAS, the developer has to write container specific code to call container APIs. So the custom JAAS code has to be written to implement authentication and authorization process. Nowadays some containers has JAAS implementation support and it is built in. But still the developer has to write code to implement JAAS completely.
In the following example we will see a standard JAAS container authentication. The CallbackHandler handles the user input and then the handle () method performs the actual task.
Listing1: Sample code showing the implementation
[code]
package com.techalpine.jaas;
import java.io.IOException;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
public class TACallbackHandler implements CallbackHandler
{
// Define basic user details like user name and password
private String uname;
private String pwd;
// Call constructor with user name and password
public TACallbackHandler(String uname, String pwd)
{
this.uname = uname;
this.pwd = pwd;
}
// This method is used to perform the actual task
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException
{
// Write application sepcific implementation code
}
// Getter method to get user name
public String getUname()
{
return uname;
}
// Getter method to get password
public String getPword()
{
return pwd;
}
}
In the following example we will look into the login module and its implementation
Listing2: Sample showing login module
package com.techalpine.jaas;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.spi.LoginModule;
public class TALLoginModule implements LoginModule {
// Define variables
private Subject sub;
private CallbackHandler handlr;
private Map shrState;
private Map opts;
// Initialize the variables
public void initialize(Subject sub, CallbackHandler handlr,
Map shrState, Map opts)
{
this.sub = sub;
this.handlr = handlr;
this.shrState = shrState;
this.opts = opts;
}
// Authenticate user in login module
public boolean login() throws LoginException
{
MrBOOLCallbackHandler handlr = (MrBOOLCallbackHandler) this.handlr;
// Authenticate the user
return ContainerAuthMethod.authenticate
(
handlr.getUname(),
handlr.getPword()
);
}
// Commit the operation
public boolean commit() throws LoginException
{
return true;
}
// Abort the operation
public boolean abort() throws LoginException
{
return ContainerAuthMethod.logout(handlr.getUsername(),
handlr.getPassword());
}
// Logout from the application
public boolean logout() throws LoginException
{
return ContainerAuthenticationMethod.logout(handlr.getUsername(),
handlr.getPassword());
}
}
Conclusion: Before concluding our discussion on security and JAAS implementation, we must understand that selecting a proper security framework/ module depends upon the application requirement. If there is need for custom authentication then some time developers use custom modules (without using JAAS or any other solutions available in the market). But as we have said that JAAS provides the entire framework, we get readily available structure. The work of the developer is to code the custom part only which varies from one application to another.
