JAAS delivers a framework for providing a mechanism to verify the client and to ensure that the client has the permissions required to approach a secured resource for all the Java applications.
The steps to enable JAAS based protection are as follows:
1. To detect the resource that needs to be protected.
2. To detect a particular security provider.In the case of JBOSS, the security is provided by the help of corresponding security manager.
3. JAAS uses the security implementation for the identified resources.
4. To build the clients of the secured resources to knowledge of the security implementation and using mechanisms. This is important as it is expected that the client will provide some sort of identifier before applying access to secured resources. The modifier in every cases are either username and password combinations.
The JAAS classes enabling the Security
o LoginModule: This is the security implementation provider that authorizes the clients. A particular implementation involves validating the username and password combination.
o LoginContext: By using this LoginContext, the client could perform a login section.
o CallbackHandler: This classes that allow interaction with data interaction between the clients and the LoginModule. The LoginModule make use of Callback classes to request for information provided from the clients. The CallbackHandler class on the client side provides the required information on the basis of the type of Callback class.
o Principal & Group class: The LoginModule supply with inhabitants identification information ( for example Surname,Forename,age etc ) related to the client into the Main classes and permission of information ( role list ) into the Group class.
o Subject: This is the output of a successful login. This includes the authenticated Principal and Group. A Subject can also be shows as a secure representation of the client after authentication is completed.
JAAS login on the client side
The JBOSS server provides JAAS security manager. The important fact is that the JBOSS client is running in its own JVM(Java Virtual Machine). Thus, we are not able to execute the Server LoginModule on the client side because the generated Subject would not be validated on the Server side. The login would be valid only if the conditions are transported over to the server side and a login were executed on the server side.
For providing this client side validations, JBOSS specify a LoginModule to the JBOSS clients. It is called “ClientLoginModule.” This module keeps the authentication information in ThreadLocal variables. This make certain of the authentication data is available every time on the current thread of execution.
The Security agency on the Server side uses the same authentication information to accomplish a JAAS login in to the server side. On successful confirmation and on the availability of adequate roles with the client, the EJB application is allowed to passes through otherwise, the security agency on the server side throws out a SecurityException and returns in the form of the created method.