This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
JAAS Cheat Sheet
Last revision (mm/dd/yy): 09/11/2017 IntroductionWhat is JAAS authenticationThe process of verifying the identity of a user or another system is authentication. JAAS, as an authentication framework manages the authenticated user’s identity and credentials from login to logout. The JAAS authentication lifecycle:
Configuration fileThe JAAS configuration file contains a LoginModule stanza for each LoginModule available for logging on to the application. A stanza from a JAAS configuration file: Branches { USNavy.AppLoginModule required debug=true succeeded=true; } Note the placement of the semicolons, terminating both LoginModule entries and stanzas. The word required indicates the LoginContext’s login () method must be successful when logging in the user. The LoginModule-specific values debug and succeeded are passed to the LoginModule. They are defined by the LoginModule and their usage is managed inside the LoginModule. Note, Options are Configured using key-value pairing such as debug="true" and the key and value should be separated by a 'equals' sign. Main.java (The client)
Java –Djava.security.auth.login.config==packageName/packageName.config packageName.Main Stanza1 Where: packageName is the directory containing the config file. packageName.config specifies the config file in the Java package, packageName packageName.Main specifies Main.java in the Java package, packageName Stanza1 is the name of the stanza Main () should read from the config file.
LoginModule.javaA LoginModule must have the following authentication methods:
initialize ()In Main (), after the LoginContext reads the correct stanza from the config file, the LoginContext instantiates the LoginModule specified in the stanza.
login ()Captures user supplied login information. The code snippet below declares an array of two callback objects which, when passed to the callbackHandler.handle method in the callbackHandler.java program, will be loaded with a user name and password provided interactively by the user. NameCallback nameCB = new NameCallback("Username"); PasswordCallback passwordCB = new PasswordCallback ("Password", false); Callback[] callbacks = new Callback[] { nameCB, passwordCB }; callbackHandler.handle (callbacks);
commit ()Once the users credentials are successfully verified during login (), the JAAS authentication framework associates the credentials, as needed, with the subject. There are two types of credentials, public and private. Public credentials include public keys. Private credentials include passwords and public keys. Principals (i.e. Identities the subject has other than their login name) such as employee number or membership ID in a user group are added to the subject. Below, is an example commit () method where first, for each group the authenticated user has membership in, the group name is added as a principal to the subject. The subject’s username is then added to their public credentials.
public boolean commit() { If (userAuthenticated) { Set groups = UserService.findGroups (username); for (Iterator itr = groups.iterator (); itr.hasNext (); { String groupName = (String) itr.next (); UserGroupPrincipal group = new UserGroupPrincipal (GroupName); subject.getPrincipals ().add (group); } UsernameCredential cred = new UsernameCredential (username); subject.getPublicCredentials().add (cred); } } abort ()The abort () method is called when authentication doesn’t succeed. Before the abort () method exits the LoginModule, care should be taken to reset state including the user name and password input fields. logout ()
public boolean logout() { if (!subject.isReadOnly()) { Set principals = subject.getPrincipals(UserGroupPrincipal.class); subject.getPrincipals().removeAll(principals); Set creds = subject.getPublicCredentials(UsernameCredential.class); subject.getPublicCredentials().removeAll(creds); return true; } else { return false; } }
CallbackHandler.javaThe callbackHandler is in a source (.java) file separate from any single LoginModule so that it can service a multitude of LoginModules with differing callback objects.
public void handle(Callback[] callbacks) { for (int i = 0; i < callbacks.length; i++) { Callback callback = callbacks[i]; if (callback instanceof NameCallback) { NameCallback nameCallBack = (NameCallback) callback; nameCallBack.setName(username); } else if (callback instanceof PasswordCallback) { PasswordCallback passwordCallBack = (PasswordCallback) callback; passwordCallBack.setPassword(password.toCharArray()); } } } Related Articles
DisclosureAll of the code in the attached JAAS cheat sheet has been copied verbatim from the free source at http://jaasbook.com/ Authors and Primary EditorsDr. A.L. Gottlieb - AnthonyG [at] owasp.org Other Cheatsheets |