1. Security Developer’s Guide
  2. Java Generic Security Services (Java GSS-API)
  3. Introduction to JAAS and Java GSS-API Tutorials
  4. JAAS Authentication

JAAS Authentication

This basic tutorial demonstrates how JAAS can be used for the authentication of users: to reliably and securely determine who is currently executing Java code.

JAAS authentication is performed in a pluggable fashion. This permits Java applications to remain independent from underlying authentication technologies. New or updated technologies can be plugged in without requiring modifications to the application itself. An implementation for a particular authentication technology to be used is determined at runtime. The implementation is specified in a login configuration file. The authentication technology used for this tutorial is Kerberos. (See Kerberos Requirements.)

The rest of this tutorial consists of the following sections:

  1. The Authentication Tutorial Code
  2. The Login Configuration
  3. Running the Code

If you want to first see the tutorial code in action, you can skip directly to Running the Code and then go back to the other sections to learn about coding and configuration file details.

The Authentication Tutorial Code

Our authentication tutorial code is contained in a single source file, JaasAcn.java. This file's main method performs the authentication and then reports whether or not authentication succeeded.

The code for authenticating the user is very simple, consisting of just two steps:

  1. Instantiating a LoginContext
  2. Calling the LoginContext's login Method

Instantiating a LoginContext

In order to authenticate a user, you first need a javax.security.auth.login.LoginContext. Here is the basic way to instantiate a LoginContext: 

import javax.security.auth.login.*;
. . .
LoginContext lc = 
    new LoginContext(<config file entry name>,
           <CallbackHandler to be used for user interaction>);

and here is the specific way our tutorial code does the instantiation: 

import javax.security.auth.login.*;
import com.sun.security.auth.callback.TextCallbackHandler;
. . .
LoginContext lc = 
    new LoginContext("JaasSample", 
          new TextCallbackHandler());

The arguments are the following:

  1. The name of an entry in the JAAS login configuration file

    This is the name for the LoginContext to use to look up an entry for this application in the JAAS login configuration file, described in The Login Configuration. Such an entry specifies the class(es) that implement the desired underlying authentication technology(ies). The class(es) must implement the LoginModule interface, which is in the javax.security.auth.spi package.

    In our sample code, we use the Krb5LoginModule in the com.sun.security.auth.module package, which performs Kerberos authentication.

    The entry in the login configuration file we use for this tutorial (see jaas.conf) has the name "JaasSample", so that is the name we specify as the first argument to the LoginContext constructor.

  2. A CallbackHandler instance.

    When a LoginModule needs to communicate with the user, for example to ask for a user name and password, it does not do so directly. That is because there are various ways of communicating with a user, and it is desirable for LoginModules to remain independent of the different types of user interaction. Rather, the LoginModule invokes a CallbackHandler to perform the user interaction and obtain the requested information, such as the user name and password. (CallbackHandler is an interface in the javax.security.auth.callback package.)

    An instance of the particular CallbackHandler to be used is specified as the second argument to the LoginContext constructor. The LoginContext forwards that instance to the underlying LoginModule (in our case Krb5LoginModule). An application typically provides its own CallbackHandler implementation. A simple CallbackHandler, TextCallbackHandler, is provided in the com.sun.security.auth.callback package to output information to and read input from the command line.

Calling the LoginContext's login Method

Once we have a LoginContext lc, we can call its login method to carry out the authentication process: 

lc.login();

The LoginContext instantiates a new empty javax.security.auth.Subject object (which represents the user or service being authenticated; see Subject). The LoginContext constructs the configured LoginModule (in our case Krb5LoginModule) and initializes it with this new Subject and TextCallbackHandler.

The LoginContext's login method then calls methods in the Krb5LoginModule to perform the login and authentication. The Krb5LoginModule will utilize the TextCallbackHandler to obtain the user name and password. Then the Krb5LoginModule will use this information to get the user credentials from the Kerberos KDC. See the Kerberos reference documentation.

If authentication is successful, the Krb5LoginModule populates the Subject with (1) a Kerberos Principal representing the user and (2) the user's credentials (TGT).

The calling application can subsequently retrieve the authenticated Subject by calling the LoginContext's getSubject method, although doing so is not necessary for this tutorial.

The Login Configuration

JAAS authentication is performed in a pluggable fashion, so applications can remain independent from underlying authentication technologies. A system administrator determines the authentication technologies, or LoginModules, to be used for each application and configures them in a login Configuration. The source of the configuration information (for example, a file or a database) is up to the current javax.security.auth.login.Configuration implementation. The default Configuration implementation from Oracle reads configuration information from configuration files, as described in com.sun.security.auth.login.ConfigFile.

See Appendix B: JAAS Login Configuration File for information as to what a login configuration file is, what it contains, and how to specify which login configuration file should be used.

The Login Configuration File for This Tutorial

As noted, the login configuration file we use for this tutorial, jass.conf, contains just one entry, which is 

JaasSample {
  com.sun.security.auth.module.Krb5LoginModule required;
};

This entry is named JaasSample and that is the name that our tutorial application, JaasAcn, uses to refer to this entry. The entry specifies that the LoginModule to be used to do the user authentication is the Krb5LoginModule in the com.sun.security.auth.module package and that this Krb5LoginModule is required to "succeed" in order for authentication to be considered successful. The Krb5LoginModule succeeds only if the name and password supplied by the user are successfully used to log the user into the Kerberos KDC.

See the Krb5LoginModule JavaDoc API documentation for information about all the possible options that can be passed to Krb5LoginModule.

Running the Code

To execute our JAAS authentication tutorial code, all you have to do is

  1. Place the JaasAcn.java application source file and the jaas.conf login configuration file into a directory.
  2. Compile JaasAcn.java: 
    
javac JaasAcn.java
  3. Execute the JaasAcn application, specifying

    • by -Djava.security.krb5.realm=<your_realm> that your Kerberos realm is the one specified.

      For example, if your realm is KRBNT-OPERATIONS.EXAMPLE.COM you'd put -Djava.security.krb5.realm=KRBNT-OPERATIONS.EXAMPLE.COM.

    • by -Djava.security.krb5.kdc=<your_kdc> that your Kerberos KDC is the one specified.

      For example, if your KDC is samplekdc.example.com you'd put -Djava.security.krb5.kdc=samplekdc.example.com.

    • by -Djava.security.auth.login.config=jaas.conf that the login configuration file to be used is jaas.conf.

The following is the full command:

Note:

Be sure to replace <your_realm> with your Kerberos realm, and <your_kdc> with your Kerberos KDC.


java -Djava.security.krb5.realm=<your_realm> 
 -Djava.security.krb5.kdc=<your_kdc> 
 -Djava.security.auth.login.config=jaas.conf JaasAcn

Type all that on one line. Multiple lines are used here for legibility.

You will be prompted for your Kerberos user name and password, and the underlying Kerberos authentication mechanism specified in the login configuration file will log you into Kerberos. If your login is successful, you will see the following message:

Authentication succeeded!

If the login is not successful (for example, if you misspell your password), you will see 

Authentication failed:

followed by a reason for the failure. For example, if you mistype your user name, you may see a message like the following (where the formatting is slightly modified here to increase legibility): 

Authentication failed:
  Kerberos Authentication Failed:
    javax.security.auth.login.LoginException: 
      KrbException: Client not found in Kerberos database

For login troubleshooting suggestions, see Troubleshooting Logins.

After fixing any problems, re-run the program to try again.