|
Java™
by example!
|
|
|
How do I do authentication with JAAS?
Authentication
The authentication component of JAAS can determine who is executing code. It's against useability to have a user on a system remember different passwords, one for each program where authentication is required. If a user on a system is used to identifying himself by means of a fingerprint device, the ideal situation would be to do the same for your new Java application that requires authentication. JAAS uses a pluggable architecture for authentication called PAM, Pluggable Authentication Module. This allows for integration of existing PAM-enabled authentication mechanisms with your program. So vendors can write authentication modules for different types of login systems. More information about PAM can be found here.
The following example will show how to build an authentication module. The following steps are executed in trying to authenticate a subject:
- Instantiate a LoginContext
- The LoginContext loads one or more LoginModules described in a Configuration
- login() is called on the instantiated LoginContext
- The LoginModules are consulted to see if the user can be authenticated and if so, principals and credentials are associated with the subject
- If the status of the login is positive, the subject can be retrieved. Otherwise, a LoginException is thrown.
Here is a small example that will ask a user for his username and password and consults a text file to determine if that user has the necessary permissions to continue.
First we create a "database" textfile that contains a list of user entries that can be successfully authenticated in the form username,password.
passwd:
Then we write our authentication module.
UsernamePasswordLoginModule.java:
This implementation of LoginModule contains the code to check whether a user is permitted to log in or not. You can provide multiple login modules, checking several sources for authentication. Our module checks whether a username and password exists in our database textfile passwd. Its task is to determine if a username/password pair (the subject) should be authenticated and if success it should add principals to that subject. When a user is asked to be authenticated, JAAS calls the methods in our LoginModule in a certain order. initialize() will be called with certain state information, most importantly the subject to be authenticated and an instance of CallbackHandler that is used later on to get the login information from the user.
- login() first creates a set of Callbacks, one for the username and one for the password. After we call handle() on our CallbackHandler, the username/password pair should be filled in in both of these callback objects. In this case (see below), a Swing dialog will pop up and ask the user for his username and password. But it can be anything else to get the user's info, for example by using the information on the currently logged in user on a Windows NT domain. After we get the username/password information from the user, we check whether they exist in the passwd file.
- commit() will be called when login was successful. It should fill up the subject with the associated principals and credentials and clean up the state.
- abort() will be called to abort the authentication procedure when either one of the login() or the commit() method fails.
- logout() will be called when a user is ready to log out.
For more information on how to write a LoginModule, check out JAAS LoginModule's Developer's Guide.
Our Main program looks like this:
Main.java:
You create an instance of LoginContext, a class able to authenticate subjects. You need to pass in a String that determines the LoginModules that will be used in authenticating a subject. In our example, we use MyAuthenticationComponents (look at the jaas.config file below). If no LoginException was thrown, the subject is printed out. Notice that we use the Sun undocumented class DialogCallbackHandler that will pop up a dialogbox to ask the user for a username and password.
jaas.config:
This configuration file specifies the module that should be used to authenticate the user. The required flag specifies that the result of the module must be successful in order for the entire login to succeed. You may specify several login modules with different flags. Other flags are Requisite, Sufficient and Optional. Check out this article for more information on these flags.
Finally we have a MyPrincipal object that implements the Principal interface and encapsulates a subject's identify.
MyPrincipal.java:
To run this code, we need to specify the configuration file to be used. You can do that by specifying the System property java.security.auth.login.config at command line:
Alternatively, it can be configured in the java.security properties file. Check out this reference for more information.
Output with username=johndoe, password=sdefujm:
Output with username=johndoe, password=abcdefg:
Further Information
Author of answer: Joris Van den Bogaert
Comments to this answer are only viewable by members. Login or become a member!
|
|
|
|
|
In-house 
