Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Next »

Shared Authentication and PAM

CAS is a Single Sign-On mechanism. The user logs on once to the CAS server and identifies himself to all the applications on the network. If you cannot use Single Sign-On, then the next best option is to have some shared authentication mechanism. The user may have to logon to each application, but the Netid and password are stored in a single place so each application does not keep its own copy.

In order for a networked system to provide convenient user authentication to other applications, it needs a reliable system for storing the userid and password and a convenient protocol (supported by many systems and languages) for submitting the authentication request. The request must be secure so the password cannot be determined by monitoring traffic on the net.

Kerberos 4 or 5 meets these requriements. LDAP over SSL is another popular choice. There are some legacy protocols like NTLM (in old Windows domains) or NIS (on old Unix systems). It would be a bad idea for every application to have to provide its own support for every protocol. So the Pluggable Authentication Module (PAM) idea was born. There would be a single simple interface provided by system shared libraries that every application could call. External to the application, a system administrator could configure this common interface to use one or more external plug-in authentication modules, each supporting a different protocol to a different set of back-end systems.

JAAS - Pluggable Java Authentication

JAAS became the Java (SE) version of the PAM idea. It is a standard set of classes that are built into Java since 1.4. These classes obey a "service provider" design pattern where external Java classes implementing a standard interface can be selected to provide the actual authentication service against some sort of back-end system. Java ships with some Sun classes that authenticate a userid and password against a Kerberos 5 KDC server or an LDAP server. There are still legacy NT and NIS modules, but they serve no useful purpose on modern systems.

JAAS separates the Java application (SE or EE) from any particular back end authentication mechanism. The Java program calls JAAS to authenticate a userid and password. The configuration has been done externally by a system administrator to select a particular protocol plugin and configure it with the network addresses of the appropriate back end server.

However, the JAAS function has a few extra features and has been adapted to be used in several entirely different system designs. The purpose of this paper is to explore this extra function behind the basic minimal JAAS function described in the manuals and used by CAS and several other applications.

JAAS Login Context

To use JAAS

  • No labels