Skip to main content
IBM  
Shop Support Downloads
IBM Home Products Consulting Industries News About IBM
IBM developerWorks : Java : Education - Tutorials
Java security, Part 2: Authentication and authorization		ZIPPDF (letter)PDF (A4)e-mail
Main menuSection menuFeedbackPrevious
Next Section
2. Conceptual overview
  


JAASExample flow of operations page 7 of 7


The following is a brief description of the overall authentication and authorization flow illustrated by the JAASExample diagram. Each of the steps below will be described in greater detail throughout the rest of the tutorial.

We begin with the first step of authentication, which is to create a login context and attempt to log in. The LoginContext is a Java class that uses information in the login.config file to decide which login modules to call and what criteria will be used to determine success. For this example, there are two login modules. The first, which is called AlwaysLoginModule does not require a password, so it always succeeds (this is unrealistic, but it's sufficient to illustrate how JAAS works). This module is tagged with the keyword required, meaning that it is required to succeed (which it always does). The second, which is called PasswordLoginModule, requires a password, but the success of this module is optional because it is tagged with the keyword optional. This means that the overall login could still succeed even if PasswordLoginModule fails.

After initialization, the selected login modules undergo a two-phase commit process controlled by the LoginContext. As part of this process, a UsernamePasswordCallbackHandler is called to get the username and password from an individual, who is represented by a Subject object. If the authentication is successful, a Principal is added to the Subject. A Subject may have many Principals (in this case, "Brad" and "joeuser"), each of which authorizes the user for different levels of access to the system. This completes the authentication step.

Once authentication is complete, we use the Subject to try to execute some sensitive payroll-action code, using a programmatic authorization technique and the doAs method. JAAS checks to see if the Subject is authorized for access. If the Subject has a Principal that authorizes access to the payroll code, the execution is allowed to proceed. Otherwise, execution will be denied.

Next, we attempt to execute some sensitive personnel-action code using a declarative authorization technique and the doAsPrivilaged method. This time JAAS deploys a user-defined permission (PersonnelPermission), a Java policy file (jaas.policy), and the Java access controller (AccessController) to decide if the execution can proceed.


Next Section
Main menuSection menuFeedbackPrevious
Privacy Legal Contact