Java Authentication Authorization Service (JAAS, Java Authentication and Authorization API) provides a flexible and scalable mechanism to ensure that Java programs on the client or server end. Java's early Security Framework emphasizes that by verifying the source and author of the Code, users are protected from downloading code attacks. JAAS emphasizes that it protects the system from user attacks by verifying who is running the code and his/her permissions. It allows you to use standard security mechanisms, such as Solaris NIS (Network Information Service), Windows NT, LDAP (Lightweight Directory Access Protocol), and Kerberos, it can be integrated into the system in a configurable manner.
Have you ever needed to implement a login module for an application? If you are a relatively experienced programmer, I believe you have done this job many times, and each time it is not exactly the same. You may establish your login module on the basis of the Oracle database, or use NT user authentication or the LDAP directory. If there is a way to support all the security mechanisms mentioned above without changing the application-level code, it must be a lucky thing for programmers.
Now you can use JAAS To achieve the above goal. JAAS is a relatively new Java API. In J2SE 1.3, it is an extension package; In J2SE 1.4, it becomes a core package. In this article, we will introduce some of the core concepts of JAAS, and then illustrate how to apply JAAS to actual programs through examples. The example in this article is adapted based on a Web-based Java application. In this example, we use relational databases to save user login information. With JAAS, we have implemented a robust and flexible login and authentication module.
Client and server JAAS
Developers can apply JAAS to clients and servers. It is easy to use JAAS on the client. It is complicated to use JAAS on the server. Currently, the JAAS products in the application server market are not very consistent. There are some minor differences between the J2EE application servers using JAAS. For example, JBossSx uses its own structure to integrate JAAS into a larger security framework. Although WebLogic 6.x also uses JAAS, the security framework is completely different.
Now you can understand why we need to look at JAAS from the client and server perspectives. We will list the examples in the following two cases. To make the example program on the server simpler, we use the Resin application server.
Core JAAS class
Before using JAAS, you must install JAAS first. JAAS is included in J2SE 1.4, but not in J2SE 1.3. If you want to use J2SE 1.3, you can download JAAS from SUN's official website. After JAAS is correctly installed, you will find jaas. jar in the lib directory of the installation directory. You need to add the path to Classpath. (Note: If you have installed the application server, which includes JAAS, please read the help documentation of the application server for more details ). In the Java security Attribute file java. security, you can change some JAAS-related system attributes. The file is saved in the/lib/security directory.
The following steps are generally involved when using JAAS for verification in an application:
1. Create a LoginContext instance.
2. To obtain and process verification information, send a CallBackHandler object as a parameter to LoginContext.
3. Call the login () method of LoginContext for verification.
4. Use the Subject object returned by the login () method to implement some special functions (assuming that the logon is successful ).
The following is a simple example:
LoginContext lc = new LoginContext ("MyExample ");
Try {
Lc. login ();
} Catch (LoginException ){
// Authentication failed.
}
// Authentication successful, we can now continue.
// We can use the returned Subject if we like.
0 Subject sub = lc. getSubject ();
Subject. doAs (sub, new MyPrivilegedAction ());
When running this code, the background performs the following work.
1. during initialization, The LoginContext object first finds the MyExample item in the JAAS configuration file, and then determines which LoginModule object to load.
2. during login, The LoginContext object calls the login () method of each LoginModule object.
3. verify each login () method or obtain a CallbackHandle object.
4. The CallbackHandle object interacts with the user by using one or more CallBack methods to obtain user input.
5. Enter verification information in a new Subject object.
We will further explain the code. Before that, let's take a look at the core JAAS classes and interfaces involved in the code. These classes can be divided into three types:
Common Subject, Principal, credential
Verify LoginContext, LoginModule, CallBackHandler, and Callback
Authorization Policy, AuthPermission, PrivateCredentialPermission
Most of the classes and interfaces listed above are in the javax. security. auth package. In J2SE 1.4, some interface implementation classes are included in the com. sun. security. auth package.
Common Type: Subject, Principal, credential
The Subject class represents a verification entity, which can be a user, Administrator, Web Service, device, or other process. This class contains three types of security information:
Identity: represented by one or more Principal objects
Public credentials: for example, name or Public Key
Private credentials: for example, a password or Private key
The Principal object represents the identity of the Subject object. They implement java. security. Principal and java. io. Serializable interfaces. In the Subject class, the most important method is getName (). This method returns an identity name. The Subject object contains multiple prinal Al objects, so it can have multiple names. Because the login name, ID card number, and Email address can both be used as the user's identity, it can be seen that the situation with multiple identity names is very common in practical applications.
The Credential mentioned above is not a specific class or excuse. It can be any object. A credential can contain any authentication information required by a specific security system, such as a tag, key, or password. The Subject object maintains a specific set of private and public creden。, which can be obtained through the getPrivateCredentials () and getPublicCredentials () methods. These methods are generally called by the security subsystem at the application layer.
Verification: LoginContext
In the application layer, you can use the LoginContext object to verify the Subject object. The LoginContext object also reflects the Dynamic Pluggability of JAAS, because when you create a LoginContext instance, You need to specify a configuration. LoginContext usually loads configuration information from a text file, which tells the LoginContext object which is used for logon.
The following lists the three methods that are frequently used in LoginContext:
Login. This method activates all the LoginModule objects in the configuration. If successful, it creates a verified Subject object; otherwise, a LoginException is thrown.
GetSubject () returns the verified Subject object
Logout () cancels the Subject object and deletes the relevant Principal object and credential.
Verification: LoginModule
LoginModule is an interface that calls a specific authentication mechanism. J2EE 1.4 contains the following LoginModule implementation classes:
JndiLoginModule is used to verify the directory service configured in JNDI
Krb5LoginModule uses Kerberos protocol for verification
NTLoginModul uses the user information of the current user in the NT for verification
UnixLoginModule uses the user information of the current user in Unix for verification
These modules are bound together with the Principal interface implementation classes, such as NTDomainPrincipal and UnixPrincipal. These classes are in the com. sun. security. auth package.
The LoginModule Interface contains five methods:
Initialize () is called by the constructor when a LoginModule instance is created.
Login () for verification
Commit () This method is called when the LgoninContext object accepts the results returned by all LoginModule objects. This method assigns the Principal object and credential to the Subject object.
Abort () This method is called when verification of any LoginModule object fails. At this time, no Principal object or credential is associated with the Subject object.
Logout () deletes the Principal object and credential associated with the Subject object.
In application code, programmers generally do not directly call the methods listed above, but indirectly call these methods through LigonContext.
Verification: CallbackHandler and Callback
CallbackHandler and Callback objects allow the LoginModule object to collect necessary verification information from the system and the user, and are independent of the interaction process that occurs when the actual information is collected.
JAAS contains seven callback implementation classes and two CallbackHandler implementation classes in the javax. sevurity. auth. Callback package:
ChoiceCallback, ConfirmationCallback, LogcaleCallback, NameCallback, PasswordCallback, TextInputCallback, TextOutputCallback, DialogCallbackHandler, and TextCallBackHandler. The Callback interface will only be used on the client. I will introduce how to compile your own CallbackHandler class later.