Thursday, December 5, 2024

Implementing Java-based User Authentication with JAAS

Once you’ve built a commercial website or two it becomes apparent that most business owners share similar requirements in terms of basic functionality. Common use cases include product or service management, user/membership management, and user authentication. If you’re developing in Java, the latter can be handled by JAAS. Whether you want to handle user authentication on a user-by-user basis or using role-based access, JAAS is a good choice. In today`s article, we`ll be looking at some popular security framework offerings from a bird`s eye view, learning the basics on JAAS, and finally, going through a simple login process using actual classes that you`ll be able to run and play with.

JAVA Security Frameworks at a Glance

Security is something that you should never try to implement yourself. Back before security was such an ongoing concern, I knew developers who rolled their own encryption algorithms. There is no need to write your own security boilerplate; within JAVA, there are several excellent security frameworks designed to make the process of securing an application faster, easier, and many times more successful than you could do yourself.

There are three major players in the realm of Java Application Security: JAAS (Java Authentication and Authorization Services), Spring Security, and Apache Shiro. JAAS has one distinction over the other two in that it is the only framework that has been integrated directly into the JAVA Development Kit as of the JDK version 1.4. Having said that, The JAAS framework is somewhat less powerful, as it mainly focuses on authentication and authorization of users within an application. Other features like user management is lacking. From an architectural point of view, JAAS the authentication concerns nicely separate from application logic. Hence, JAAS Security can be added to an existing application with a minimum of code changes. It is for this reason that it is considered to be “pluggable”. JAAS supports multiple types of authentication, including username & password, voice, fingerprint, biometrics, and others.

For detailed information about JAAS, I would recommend that you take a look at the official guide. The remainder of this tutorial will cover how to authenticate a user using JAAS in a simple Java application that we will build in Eclipse.

The JAAS Configuration File

JAAS needs to know what Login Module or Login Modules to use for authentication. The Login Modules are specified in a JAAS configuration file. There are two ways to specify its location. The first way is to specify a login.config.url location (or locations) in your /jre/lib/security/java.security file. There is a sample entry in this file already:

login.config.url.1=file:${user.home}/.java.login.config

Multiple config files can be specified. You can label them with *.1, *.2, etc.:

login.config.url.1=file:C:/config/.java.login.config
login.config.url.2=file:C:/users/foo/.foo.login.config

The second way to specify the location of the JAAS configuration file is to assign a value to the java.security.auth.login.config System property. One way to do that is via a System.setProperty() call, as we’ll be using in ouris demo. You can also provide the -Djava.security.auth.login.config=FILE_LOCATION flag when starting your application.

In the main() method, we will set the login.config to “jaas.config” (see the The main() Method section below):

System.setProperty("java.security.auth.login.config", "jaas.config");

Let’s add our JAAS configuration file to our project now.

Fire up eclipse and create a new Java Project named “JaasDemo.”

Create a new file in the project root named “jaas.config”.

Paste the following code into the file:

/** JaasDemo Login Configuration **/

JaasDemo {
   com.robgravelle.jaasdemo.JaasDemoLoginModule required debug=true;
};

The main() Method

We will place the main method in a class named “JaasAuthenticationDemo”.

Create this class in a package “com.robgravelle.jaasdemo” and make sure that you check the box to create the static void main() method:

new_java_class_dialog (88K)

Click Finish to close the dialog and create the new class.

Copy and paste the following code into the JaasAuthenticationDemo.java file:

package com.robgravelle.jaasdemo;

import java.util.Scanner;

import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

public class JaasAuthenticationDemo {

        public static void main(String[] args) {
                System.setProperty("java.security.auth.login.config", "jaas.config");

                Scanner sc = new Scanner(System.in);
                System.out.println("Please enter your user ID.");
                String name = sc.next();
                System.out.println("Please enter your password.");
                String password = sc.next();
                sc.close();
   
                try {
                        LoginContext lc = new LoginContext("JaasDemo", new JaasDemoCallbackHandler(name, password));
                        lc.login();
                } catch (LoginException e) {
                        e.printStackTrace();
                }
        }
}

A couple of things to note in the above code is the setting of the login config file name as well as the LoginContext() creation, which uses the name from the Login Configuration file and instantiates a new CallBackHandler.

Conclusion

Now that we’ve gotten our feet wet, we’ll be coding the JaasDemoCallbackHandler and LoginModule classes in part 2.

Rob Gravelle
Rob Gravelle
Rob Gravelle resides in Ottawa, Canada, and has been an IT guru for over 20 years. In that time, Rob has built systems for intelligence-related organizations such as Canada Border Services and various commercial businesses. In his spare time, Rob has become an accomplished music artist with several CDs and digital releases to his credit.

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Popular Articles

Featured