 |
Introduction to JAAS and Java GSS-API Tutorials
This page links to a series of tutorials demonstrating variousaspects of the use of JAAS (Java Authentication andAuthorization Service) and Java GSS-API.
JAAS can be used for two purposes:
- forauthentication of users, to reliably and securelydetermine who is currently executing Java code, and
- forauthorization of users to ensure they have theaccess control rights (permissions) required to dosecurity-sensitive operations.
Java GSS-API is used forsecurely exchangingmessages between communicating applications. The Java GSS-APIcontains the Java bindings for the Generic Security ServicesApplication Program Interface (GSS-API) defined inRFC 2853. GSS-APIoffers application programmers uniform access to securityservices atop a variety of underlying security mechanisms,including Kerberos.
Note: JSSE is another API that can be used for securecommunication. For the differences between the two, seeWhen to use Java GSS-API vs. JSSE.
The reason both JAAS and Java GSS-API tutorials are presentedtogether is because JAAS authentication is typically performedprior to secure communication using Java GSS-API. Thus JAAS andJava GSS-API are related and often used together. However, it ispossible for applications to use JAAS without Java GSS-API, andit is also possible to use Java GSS-API without JAAS.Furthermore, JAAS itself can be used simply for authentication orfor both authentication and authorization.
The following tutorials provide working examples for all ofthe scenarios described above.
- Use of Java GSS-API for Secure Message Exchanges Without JAAS Programming
Demonstrates the use of the Java GSS-API for secure messageexchanges between a client application and a serverapplication.
- JAAS Authentication
Explains how an application can authenticate users usingJAAS.
- JAAS Authorization
Explains how to enforce user-based access controls usingJAAS.
- Use of JAAS Login Utility
Describes a utility program that authenticates a user usingJAAS and executes any application as that user. The appropriateuser-based access controls are enforced while the applicationexecutes. This utility, as a convenience, essentially performsthe operations described in the JAAS Authentication and JAASAuthorization tutorials on your behalf. Therefore it is possibleto skip directly to this tutorial if you do not need to know howto perform JAAS authentication and authorization directly.
- Use of JAAS Login Utility andJava GSS-API for Secure Message Exchanges
The most comprehensive tutorial. The Login utility is used toauthenticate a service user and to start up a server applicationas that user. The Login utility is also used to authenticate aclient user and to start up a client application as that user.Finally the client and server applications, on behalf of theirauthenticated client and service users, exchange secure messagesusing the Java GSS-API.
- More Things You Can Do With JavaGSS-API and JAAS
Shows additional operations the server application in theprevious tutorial can perform once communication has beenestablished with the client application.
All applications in all tutorials in this series utilizeKerberos Version 5 as the underlying technology forauthentication and secure communication. SeeKerberos Requirements. The term "Kerberos"used throughout the tutorials is meant to refer to KerberosVersion 5.
Related Documentation
API Specifications
- com.sun.security.jgss Package
- com.sun.security.auth Package
- com.sun.security.auth.callback Package
- com.sun.security.auth.login Package
- com.sun.security.auth.module Package
User Guides
Papers
Tutorials
Other Java Security Documentation
- Default PolicyImplementation and Policy File Syntax
- Permissions in theJava 2 SDK
- Java 2 SecurityArchitecture
Reference Document
- GenericSecurity Service API Version 2: Java Bindings presented andrequested comments on the Java bindings for GSS-API that areincorporated into Java GSS-API.
Copyright© 2001-2002SunMicrosystems, Inc. All Rights Reserved.
|