I've taken some time over the last couple of days to look into the state of the Java Authentication and Authorization Service (JAAS) and the promises for interoperability that it offers in the J2EE space.

The result of that research is the brief assessment attached below. Please let me know if anything in this assessment is inaccurate, or if you could recommend any additional resources or courses of action.

Thanks in advance,
Mike


BACKGROUND AND THEORY


According to OnJava.com, JAAS is a "framework that supplements the Java 2 platform with user-based authentication and access control capabilities. It includes a Java implementation of the standard Pluggable Authentication Module (PAM) architecture, and provides support for user-based, group-based, or role-based access controls".

JAAS was an optional extension for the Java 2 Standard Edition (J2SE) version 1.3, and has some implementation issues when deployed in that environment.? With J2SE 1.4, JAAS became an official part of the Java 2 platform.

As of the 1.3 release of the J2EE specification, J2EE Web and EJB containers are now required to support the JAAS APIs.? Thus, in theory, it would seem that, regardless of which J2EE 1.3 container you use, you are guaranteed to have pluggable, declarative authentication and authorization of business logic.

?
HARSHER REALITY

?
Unfortunately, the above statement does not seem to hold true in practice.? As the following Sun developer newsgroup postings indicate, J2EE vendors do not seem to be required to expose their security mechanisms using the JAAS APIs.? Moreover, even if all vendors use JAAS, their implementations are not necessarily interoperable.

Links to newsgroup postings:

http://swjscmail1.java.sun.com/cgi-bin/wa?A2=ind0206&L=java-security&P=R1174&D=0&H=0&O=T&T=1

http://forum.java.sun.com/thread.jsp?forum=60&thread=288901


HOPE FOR AUTHORIZATION


One of the developments that will help to integrate JAAS with J2EE, at least in the authorization space, is the introduction of JSR 115, Java Authorization Contract for Containers (JACC).

The JACC specification "define(s) a contract between [J2EE] containers and authorization service providers that will result in the implementation of providers for use by containers".

The proposed final draft of the J2EE 1.4 specification requires that all J2EE 1.4 containers:

* provide the Java classes and interfaces that make up the JACC 1.0 API

* support the contract between J2EE containers and authorization service providers as defined by the JACC 1.0 specification


UNCERTAINTY FOR AUTHENTICATION


There does not appear, though, to be a similarly required contract between J2EE containers and authentication service providers.? This is a gap that probably needs to be addressed if we want the flexibility of being able to use JAAS with more than one application server in the future.

?
RECOMMENDED ACTION

?
Perhaps the Java developer community can communicate with representatives of Sun or of some of the security vendors that were part of the JSR 115 (JACC) Expert Group to obtain their feedback on what efforts, if any, they are undertaking to standardize the integration of authentication services into J2EE containers.

?
RESOURCES

?
"All that JAAS: Scalable Java security with JAAS", John Musser, JavaWorld, September 13, 2002

"Extend JAAS for class instance-level authorization", Carlos A. Fonseca, IBM developerWorks, April 2002

"JAAS Login Modules 1.0.0", a small collection of GNU LGPL login modules that "allow Java programs to perform user authentication against a number of providers."? One such module authenticates against a?Windows NT/2000 domain, but it has only been tested against the IIS Web server and Apache Tomcat Web container as of the time of this writing.