...
The reason for the callback class is that userid and password are not the only credentials someone can use to prove their identity. In addition to password, a Kerberos 5 KDC can authenticate using a keytab file containing the secret private key derived from the password. Keytab files are a common way to identify not people, but specific services residing on machines in the network. When the private key is stored on a USB device, then the callback provides an opportunity for a special Java driver to use the device to prove identity.
However, the JAAS function has a few extra features and has been adapted to be used in several entirely different system designs. The purpose of this paper is to explore this extra function behind the basic minimal JAAS function described in the manuals and used by CAS and several other applicationsJAAS is different from most of the standard Java services in that it is not designed to work exactly the same on all systems. The "write once run anywhere" rule applies to applications. JAAS removes the actual work of authentication from the application, leaving only the request interface. That request will "work" on all systems, but the algorithms that back it must vary not just between different types of operating systems, but more importantly between different institutions. Run the same application on the same container on the same OS, and authentication at Harvard is not necessarily the same thing as authentication at Yale.applications.
There are also some extra features to JAAS, particularly when it is used in Kerberos 5. However, before these features can be understood, we need to probe a bit more into the parts of the JAAS API that people do not learn when they are just using it to verify a password.
JAAS Login Context
To use JAAS