A Java SE application or a Tomcat server runs under a native operating system userid. When it uses files and other local resources, it does so under the authority of that local system login.
However, when an SE application uses accesses a network service (say a database through JDBC), it has on a remote system, the local userid doesn't necessarily propagate through the network. Some other Java APIs expose their own custom mechanism to provide a separate userid /and password login to the remote server. A Web application running under Tomcat has the reverse problem, obtaining the identity of the remote user in order to access a personal profile or make access control decisions(in the JDBC connection or in a Web URL). JAAS provides a common service for all the other network services.
A J2EE container may want to identify a remote user and associate this identity with a Request, the thread processing the Request, and perhaps a Session object shared across requests. JAAS provides a common API and some standard services that can support container based authentication, but it is up to the container to save the results generated by the JAAS authentication in its own management objects.
To use JAAS, Java code creates a LoginContext associated with a bundle of configuration parameters that names one or more plug-in service providers. Each provider tries to validate the credentials against a network service. Success generates Subject and Principal objects chained to the LoginContext.
- The LdapLoginModule accepts a userid/password, uses them to login to an LDAP directory, and may return information from the LDAP User object in the generated Subject and Principal objects. LDAP attributes can be used to make access control decisions.
- The Krb5LoginModule accepts a userid/password or a keytab file containing the secret key. It returns Subject and Principal objects containing the secret key and the Ticket Granting Ticket. The TGT can be used to gain access to other network services that use Kerberos.
- The Krb5LoginModule can alternately accept a Service Ticket and return the userid of the remote user who sent it in the Subject/Principal.
- The CasLoginModule (yes one has been written for JBoss) accepts the CAS Service Ticket, validates it to the CAS server, and returns the netid and Proxy info in the Subject/Principal objects. Through Proxy services, this identity can then be propagated to another JBoss server when a request is made to a remote JBoss EJB.
Because JAAS exposes a single published service provider interface, vendors of specialized identity hardware can write their own plug-in XxxLoginModule class and distribute smart cards, USB devices, or other forms of credential. There will always have to be some custom code in the login form or user interface, but JAAS standardizes a lot of the back end work across all sorts of applications and J2EE containers.
Shared Authentication
CAS is a Single Sign-On mechanism. The user logs on once to the CAS server and identifies himself though that one server to all the applications on the network. However, CAS can only be used by Web based applications that can be adapted to use its protocol. When you cannot use SSO, then you still want to avoid ending up with a dozen different systems each with its own set of userids and passwords.
...