Java Authentication and Authorization Service (JAAS)

Reference: https://javaranch.com/journal/2008/04/authentication-using-JAAS.html

Pluggable - applications remain independent from underlying authentication mechanism, through service provider approach.

Parts:

javax.security.auth.spi.LoginModule - interface for authentication implementation.

javax.security.auth.login.LoginContext - context for the authentication process, this creates a Subject and is populated with various principals and credentials for processing

javax.security.auth.Subject - a single user, entity or system, i.e. a client

java.security.Principal - face of a subject, encapsulates features or properties. one subject can contain multiple principals

Credentials - just pieces of information regarding the subject, could be account numbers, passwords, certificates, etc.

javax.security.auth.Destroyable & javax.security.auth.Refreshable - something should expire after certain time, like a secret ID or key after successful login.

Authentication:

1. create an instance of LoginContext with various constructors.
   • LoginContext(String, CallbackHandler) - string as index to login module stack configuration, callback for passing login information, possibly interact with user
   • an empty Subject is created
2. call the "login" method of the LoginContext
   1. phase 1, individual login module's "login" method is called, but at this point principals and credentials are not attached to the subject (because the principals and credentials could be invalid)
   2. if successful, "commit" methods of all login modules are called, and login modules each attach principals and credentials to the subject. If fails "abort" method will be called and login modules can perform clean up.