Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework. JAAS was introduced as an extension library to the Java Platform, Standard Edition 1.3 and was integrated in version 1.4.
JAAS has as its main goal the separation of concerns of user authentication so that they may be managed independently. While the former authentication mechanism contained information about where the code originated from and who signed that code, JAAS adds a marker about who runs the code. By extending the verification vectors JAAS extends the security architecture for Java applications that require authentication and authorization modules.
For the system administrator, JAAS consists of two kinds of configuration file:
For example, an application may have this login.conf file indicating how different authentication mechanisms are to be run to authenticate the user:
For the application developer, JAAS is a standard library that provides:
For the security system integrator, JAAS provides interfaces:
Login modules are primarily concerned with authentication rather than authorization and form a widely used component of JAAS. A login module is required to implement the javax.security.auth.spi.LoginModule interface, which specifies the following methods:
Note: A Subject is the user that is attempting to log in.
Login modules can provide single sign on (SSO) via a particular SSO protocol/framework (e.g. SAML, OpenID, and SPNEGO), can check for the presence of hardware security tokens (e.g. USB token), etc. In an n-tier application, Login Modules can be present on both the client side and server side.
Login modules are written by implementing this interface; they contain the actual code for authentication. It can use various mechanisms to authenticate user credentials. The code could retrieve a password from a database and compare it to the password supplied to the module.