It is important to understand how the Java platform implements access control for authorization to understand the concepts we'll discuss in this section. The Java platform uses the notion of an access control context to determine the authority of the current thread of execution. Conceptually, this can be viewed as a token that is attached to every thread of execution. Prior to JAAS, access control was based on knowing the code source of the current Java .class file or the identity of the digital signer. Under this model, access control was based on knowing where code was coming from. With JAAS, we turn the model around. By adding the Subject to the access control context, we can begin to grant or deny access based on who is executing (or asking to execute) a given piece of code.

In this section, you'll learn about JAAS's mechanism for controlling access to sensitive code. We'll start with a description of how authorization works in JAAS, then proceed to a more in-depth description of each component of the authorization framework. We'll close this section with some code samples, used in the larger running example, that demonstrate both programmatic and declarative authorization techniques. At the end of this section, you should have a clear idea of how JAAS's authentication and authorization mechanisms work together to secure Java-based systems.