Introduction to JAAS and Java GSS-API Tutorials
This page links to a series of tutorials demonstrating various aspects of the use of JAAS (Java Authentication and Authorization Service) and Java GSS-API.
JAAS can be used for two purposes:
- for authentication of users, to reliably and securely determine who is currently executing Java code, and
- for authorization of users to ensure they have the access control rights (permissions) required to do security-sensitive operations.
Java GSS-API is used for securely exchanging messages between communicating applications. The Java GSS-API contains the Java bindings for the Generic Security Services Application Program Interface (GSS-API) defined in RFC 2853. GSS-API offers application programmers uniform access to security services atop a variety of underlying security mechanisms, including Kerberos.
Note: JSSE is another API that can be used for secure communication. For the differences between the two, see When to use Java GSS-API vs. JSSE.
The reason both JAAS and Java GSS-API tutorials are presented together is because JAAS authentication is typically performed prior to secure communication using Java GSS-API. Thus JAAS and Java GSS-API are related and often used together. However, it is possible for applications to use JAAS without Java GSS-API, and it is also possible to use Java GSS-API without JAAS. Furthermore, JAAS itself can be used simply for authentication or for both authentication and authorization.
The following tutorials provide working examples for all of the scenarios described above.
- Use of Java GSS-API for Secure Message Exchanges Without JAAS Programming
Demonstrates the use of the Java GSS-API for secure message exchanges between a client application and a server application.
- JAAS Authentication
Explains how an application can authenticate users using JAAS.
- JAAS Authorization
Explains how to enforce user-based access controls using JAAS.
- Use of JAAS Login Utility
Describes a utility program that authenticates a user using JAAS and executes any application as that user. The appropriate user-based access controls are enforced while the application executes. This utility, as a convenience, essentially performs the operations described in the JAAS Authentication and JAAS Authorization tutorials on your behalf. Therefore it is possible to skip directly to this tutorial if you do not need to know how to perform JAAS authentication and authorization directly.
- Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges
The most comprehensive tutorial. The Login utility is used to authenticate a service user and to start up a server application as that user. The Login utility is also used to authenticate a client user and to start up a client application as that user. Finally the client and server applications, on behalf of their authenticated client and service users, exchange secure messages using the Java GSS-API.
- More Things You Can Do With Java GSS-API and JAAS
Shows additional operations the server application in the previous tutorial can perform once communication has been established with the client application.
All applications in all tutorials in this series utilize Kerberos Version 5 as the underlying technology for authentication and secure communication. See Kerberos Requirements. The term "Kerberos" used throughout the tutorials is meant to refer to Kerberos Version 5.
Related Documentation
API Specifications
- com.sun.security.jgss Package
- com.sun.security.auth Package
- com.sun.security.auth.callback Package
- com.sun.security.auth.login Package
- com.sun.security.auth.module Package
User Guides
Papers
Tutorials
Other Java Security Documentation
- Default Policy Implementation and Policy File Syntax
- Permissions in the Java 2 SDK
- Java 2 Security Architecture
Reference Document
- Generic Security Service API Version 2: Java Bindings presented and requested comments on the Java bindings for GSS-API that are incorporated into Java GSS-API.