Tuesday, April 29, 2008

J2EE Security and JAAS

What is the authentication technology used in J2EE?
There is a widespread mis-understanding that JAAS is the underlying security mechanism used in J2EE.
J2EE spec requires Form, basic and cert authentication for Web Applications. However it doesn't specify any particular authentication technique for Application client (EJB, JMS clients).
JAAS is not a supported authentication technique for Application clients. JAAS is a J2SE feature. It's scope is limited to single JVM. JAAS is supported in J2EE as a J2SE feature.
If you have a Application client you need to use Vendor specific code for authentication. It is not going to change in Java EE 5 or Java EE 6.
I am really puzzled why it (an API for authentication) is not included in J2EE spec.
If you consider WebLogic, WebLogic authentication mechanism (UsenamePasswordLoginModule) is something similar to JAAS (but not JAAS).
J2EE security talks only about
a) declarative authorization(via security constraint tag in deployment descriptors)
b) programmatic authorization(via API - isCallerInRole, getCallerPrincipal, isUserInRole, getUserPrincipal)
c) Authentication for web applications (basic, form, SSL mutual authentication)
d) transport security (SSL - via transport-guarantee tag).
Given below are few quotes from J2EE and EJB spec
J2EE.3.4.2 Required Login Mechanisms
All J2EE products are required to support three login mechanisms: HTTP basic authentication, SSL mutual authentication, and form-based login.
J2EE.3.4.4 Application Client User Authentication
The application client container must provide authentication of application users to satisfy the authentication and authorization constraints enforced by the enterprise bean containers and web containers. The techniques used may vary with the implementation of the application client container, and are beyond the control of the application.
21.6.3 Security Mechanisms (EJB 2.1 spec)
The EJB Container Provider must provide the security mechanisms necessary to enforce the security policies set by the Deployer. The EJB specification does not specify the exact mechanisms that must be implemented and supported by the EJB server.

No comments: