EE Explorer: Implementing Java Security with Jaas and Jsse

Security has been the basic component of the Java platform from the early so-called Java sandbox to the robust, full-featured security architecture introduced by JDK 1.4. From then until now, the designers of the Java language received a lot of advice from the community about what a secure Java application (or enterprise environment) could do and what not to do, and they added a few tricks themselves.

It can be said that with the introduction of the Java EE Web Application Security architecture, we have been reaping the results from the past 10 years of repeated experiments. The Java EE security Framework is made up of three APIs: java-based Authentication and Authorization Services (JAAS), Java Secure Sockets extension (JSSE), and Java Cryptographic extensions (Java Cryptography Extension,jce). Although JCE is an interesting and important API, it is not particularly relevant to the "three major items"-authentication, authorization, and transmission-that we are concerned with in the development of secure WEB applications. So in this month's column, we'll focus on JAAS and JSSE.

JAAS and JSSE Overview

JAAS provides a flexible, descriptive mechanism for authenticating users and verifying their ability to access secure resources. JSSE defines a Java-only mechanism for secure WEB communications through Secure Sockets Layer (SSL). By combining these two technologies, you can make our applications:

Verify that the user is the person he or she claims to be (certified).

Ensure that he or she is allowed access to the requested resources (authorization).

Complete information exchange (transmission) through a secure network connection.

Now, let's look at each of the basic functional components.

Authenticate with JAAS

JAAS is built on a security architecture called an pluggable authentication module (pluggable authentication module,pam). PAM's architecture is modular, which means it is designed to allow seamless transition from one security protocol component to another through a switching module. The well-defined interfaces in this framework allow multiple authentication technologies and authorization mechanisms to be added without altering or interfering with any existing login service. The PAM architecture can integrate a wide range of authentication technologies, including RSA, DCE, Kerberos, and S/key, so that JAAS can integrate these technologies. In addition, this framework is compatible with authentication systems based on smart cards and LDAP authentication.

Like many Java 2 platform technologies, the JAAS API defines a clean abstraction between the application code and the physical implementation that will perform the business logic. This abstraction layer can be used as a run-time substitute for the login module without recompiling the existing application code. In particular, the application writes to the LoginContext API, while the authentication technology provider writes to the Loginmodule interface. At run time, LoginContext reads the configuration file to determine which (some) login modules should be used to authenticate users accessing a particular application.

The authentication scheme used by JAAS is based on two very important entities: principal and subject. The actual authenticated person or service is called subject. Principal is a unique entity, such as an individual or group name, account number, social Security number, or a similar unique identity. In order to uniquely identify a subject (which is a key part of the authentication), one or more principal must be associated with this subject. Finally, a subject may have security-related attributes, called vouchers (credential). A voucher can be anything from a simple password to a complex cryptographic key.

The application begins the authentication process by instantiating a LoginContext object. LoginContext queries a configuration file to determine the one (or more) authentication techniques used for authentication and the corresponding one (or more) loginmodule. A very simple loginmodule may prompt for a username and password and validate them. A bit more advanced may be authenticated using an existing operating system logon identity. Theoretically, a JAAS loginmodule can even be built to interact with a fingerprint reader or an iris scanner.