This page links to a series of tutorials demonstrating various aspects of the use of JAAS (Java Authentication and Authorization Service) and Java GSS-API.
JAAS can be used for two purposes:
- for authentication of users, to reliably and securely determine who is currently executing Java code, and
- for authorization of users to ensure they have the access control rights (permissions) required to do security-sensitive operations.
Java GSS-API is used for securely exchanging messages between communicating applications. The Java GSS-API contains the Java bindings for the Generic Security Services Application Program Interface (GSS-API) defined in RFC 5653. GSS-API offers application programmers uniform access to security services atop a variety of underlying security mechanisms, including Kerberos.
Note: JSSE is another API that can be used for secure communication. For the differences between the two, see When to Use Java GSS-API Versus JSSE.
The reason both JAAS and Java GSS-API tutorials are presented together is because JAAS authentication is typically performed prior to secure communication using Java GSS-API. Thus JAAS and Java GSS-API are related and often used together. However, it is possible for applications to use JAAS without Java GSS-API, and it is also possible to use Java GSS-API without JAAS. Furthermore, JAAS itself can be used simply for authentication or for both authentication and authorization.
The following tutorials provide working examples for all of the scenarios described previously.
Demonstrates the use of the Java GSS-API for secure message exchanges between a client application and a server application.
Explains how an application can authenticate users using JAAS.
Explains how to enforce user-based access controls using JAAS.
Describes a utility program that authenticates a user using JAAS and executes any application as that user. The appropriate user-based access controls are enforced while the application executes. This utility, as a convenience, essentially performs the operations described in the JAAS Authentication and JAAS Authorization tutorials on your behalf. Therefore it is possible to skip directly to this tutorial if you do not need to know how to perform JAAS authentication and authorization directly.
The most comprehensive tutorial. The Login utility is used to authenticate a service user and to start up a server application as that user. The Login utility is also used to authenticate a client user and to start up a client application as that user. Finally the client and server applications, on behalf of their authenticated client and service users, exchange secure messages using the Java GSS-API.
Shows additional operations the server application in the previous tutorial can perform once communication has been established with the client application.
All applications in all tutorials in this series utilize Kerberos Version 5 as the underlying technology for authentication and secure communication. See Kerberos Requirements. The term "Kerberos" used throughout the tutorials is meant to refer to Kerberos Version 5.