Guide to the Java Authentication And Authorization Service (JAAS)
Last updated: March 14, 2020
Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.
Get started with understanding multi-threaded applications with our Java Concurrency guide:
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
Refactor Java code safely — and automatically — with OpenRewrite.
Refactoring big codebases by hand is slow, risky, and easy to put off. That’s where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.
Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions — one for newcomers and one for experienced users. You’ll see how recipes work, how to apply them across projects, and how to modernize code with confidence.
Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.
Regression testing is an important step in the release process, to ensure that new code doesn't break the existing functionality. As the codebase evolves, we want to run these tests frequently to help catch any issues early on.
The best way to ensure these tests run frequently on an automated basis is, of course, to include them in the CI/CD pipeline. This way, the regression tests will execute automatically whenever we commit code to the repository.
In this tutorial, we'll see how to create regression tests using Selenium, and then include them in our pipeline using GitHub Actions:, to be run on the LambdaTest cloud grid:
1. Overview
Java Authentication And Authorization Service (JAAS) is a Java SE low-level security framework that augments the security model from code-based security to user-based security. We can use JAAS for two purposes:
- Authentication: Identifying the entity that is currently running the code
- Authorization: Once authenticated, ensure that this entity has the required access control rights or permissions to execute sensitive code
In this tutorial, we’ll cover how to set up JAAS in a sample application by implementing and configuring its various APIs, especially the LoginModule.
2. How JAAS Works
When using JAAS in an application, several APIs are involved:
- CallbackHandler: Used for gathering user credentials and optionally provided when creating the LoginContext
- Configuration: Responsible for loading LoginModule implementations and can be optionally provided at LoginContext creation
- LoginModule: Effectively used for authenticating users
We’ll use the default implementation for the Configuration API and provide our own implementations for the CallbackHandler and the LoginModule APIs.
3. Providing CallbackHandler Implementation
Before digging into the LoginModule implementation, we first need to provide an implementation for the CallbackHandler interface, which is used for gathering user credentials.
It has a single method, handle(), that accepts an array of Callbacks. In addition, JAAS already provides many Callback implementations, and we’ll be using the NameCallback and PasswordCallback for gathering the username and password, respectively.
Let’s see our implementation of the CallbackHandler interface:
public class ConsoleCallbackHandler implements CallbackHandler {
@Override
public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
Console console = System.console();
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
NameCallback nameCallback = (NameCallback) callback;
nameCallback.setName(console.readLine(nameCallback.getPrompt()));
} else if (callback instanceof PasswordCallback) {
PasswordCallback passwordCallback = (PasswordCallback) callback;
passwordCallback.setPassword(console.readPassword(passwordCallback.getPrompt()));
} else {
throw new UnsupportedCallbackException(callback);
}
}
}
}So, to prompt and read the username, we’ve used:
NameCallback nameCallback = (NameCallback) callback;
nameCallback.setName(console.readLine(nameCallback.getPrompt()));Similarly, to prompt and read the password:
PasswordCallback passwordCallback = (PasswordCallback) callback;
passwordCallback.setPassword(console.readPassword(passwordCallback.getPrompt()));Later, we’ll see how to call the CallbackHandler when implementing the LoginModule.
4. Providing LoginModule Implementation
For simplicity, we’ll provide an implementation that stores hard-coded users. So, let’s call it InMemoryLoginModule:
public class InMemoryLoginModule implements LoginModule {
private static final String USERNAME = "testuser";
private static final String PASSWORD = "testpassword";
private Subject subject;
private CallbackHandler callbackHandler;
private Map<String, ?> sharedState;
private Map<String, ?> options;
private boolean loginSucceeded = false;
private Principal userPrincipal;
//...
}In the next subsections, we’ll be giving an implementation for the more important methods: initialize(), login(), and commit().
4.1. initialize()
The LoginModule is first loaded and then initialized with a Subject and a CallbackHandler. Additionally, LoginModules can use a Map for sharing data among themselves, and another Map for storing private configuration data:
public void initialize(
Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
this.subject = subject;
this.callbackHandler = callbackHandler;
this.sharedState = sharedState;
this.options = options;
}4.2. login()
In the login() method, we invoke the CallbackHandler.handle() method with a NameCallback and a PasswordCallback to prompt and get the username and password. Then, we compare these provided credentials with the hardcoded ones:
@Override
public boolean login() throws LoginException {
NameCallback nameCallback = new NameCallback("username: ");
PasswordCallback passwordCallback = new PasswordCallback("password: ", false);
try {
callbackHandler.handle(new Callback[]{nameCallback, passwordCallback});
String username = nameCallback.getName();
String password = new String(passwordCallback.getPassword());
if (USERNAME.equals(username) && PASSWORD.equals(password)) {
loginSucceeded = true;
}
} catch (IOException | UnsupportedCallbackException e) {
//...
}
return loginSucceeded;
}The login() method should return true for a successful operation and false for a failed login.
4.3. commit()
If all calls to LoginModule#login succeed, we update the Subject with an additional Principal:
@Override
public boolean commit() throws LoginException {
if (!loginSucceeded) {
return false;
}
userPrincipal = new UserPrincipal(username);
subject.getPrincipals().add(userPrincipal);
return true;
}Otherwise, the abort() method is called.
At this point, our LoginModule implementation is ready and needs to be configured so that it can be loaded dynamically using the Configuration service provider.
5. LoginModule Configuration
JAAS uses the Configuration service provider to load LoginModules at runtime. By default, it provides and uses the ConfigFile implementation where LoginModules are configured through a login file. For example, here is the content of the file used for our LoginModule:
jaasApplication {
com.baeldung.jaas.loginmodule.InMemoryLoginModule required debug=true;
};As we can see, we’ve provided the fully qualified class name of the LoginModule implementation, a required flag, and an option for debugging.
Finally, note that we can also specify the login file through the java.security.auth.login.config system property:
$ java -Djava.security.auth.login.config=src/main/resources/jaas/jaas.login.configWe can also specify one or more login files through the property login.config.url in the Java security file, ${java.home}/jre/lib/security/java.security:
login.config.url.1=file:${user.home}/.java.login.config6. Authentication
Firstly, an application initializes the authentication process by creating a LoginContext instance. To do so, we can take a look at the full constructor to have an idea about what we need as parameters:
LoginContext(String name, Subject subject, CallbackHandler callbackHandler, Configuration config)- name: used as an index for loading only the corresponding LoginModules
- subject: represents a user or service that wants to log in
- callbackHandler: responsible for passing user credentials from the application to the LoginModule
- config: responsible for loading LoginModules that correspond to the name parameter
Here, we’ll be using the overloaded constructor where we’ll be providing our CallbackHandler implementation:
LoginContext(String name, CallbackHandler callbackHandler)Now that we have a CallbackHandler and a configured LoginModule, we can start the authentication process by initializing a LoginContext object:
LoginContext loginContext = new LoginContext("jaasApplication", new ConsoleCallbackHandler());At this point, we can invoke the login() method to authenticate the user:
loginContext.login();The login() method, in turn, creates a new instance of our LoginModule and calls its login() method. And, upon successful authentication, we can retrieve the authenticated Subject:
Subject subject = loginContext.getSubject();Now, let’s run a sample application that has the LoginModule wired in:
$ mvn clean package
$ java -Djava.security.auth.login.config=src/main/resources/jaas/jaas.login.config \
-classpath target/core-java-security-2-0.1.0-SNAPSHOT.jar com.baeldung.jaas.JaasAuthenticationWhen we’re prompted to provide the username and password, we’ll use testuser and testpassword as credentials.
7. Authorization
Authorization comes into play when the user is first connected and associated with the AccessControlContext. Using the Java security policy, we can grant one or more access control rights to Principals. We can then prevent access to sensitive code by calling the SecurityManager#checkPermission method:
SecurityManager.checkPermission(Permission perm)7.1. Defining Permissions
An access control right or permission is the ability to execute an action on a resource. We can implement a permission by subclassing the Permission abstract class. To do so, we need to provide a resource name and a set of possible actions. For example, we can use FilePermission to configure access control rights on files. Possible actions are read, write, execute, and so on. For scenarios where actions are not necessary, we may simply use the BasicPermision.
Next, we’ll provide an implementation of permission through the ResourcePermission class where users may have permission to access a resource:
public final class ResourcePermission extends BasicPermission {
public ResourcePermission(String name) {
super(name);
}
}Later, we’ll configure an entry for this permission through the Java security policy.
7.2. Granting Permissions
Usually, we don’t need to know the policy file syntax because we can always use the Policy Tool to create one. Let’s take a look at our policy file:
grant principal com.sun.security.auth.UserPrincipal testuser {
permission com.baeldung.jaas.ResourcePermission "test_resource"
};In this sample, we’ve granted the test_resource permission to the testuser user.
7.3. Checking Permissions
Once the Subject is authenticated and permissions are configured, we can check for access by calling the Subject#doAs or Subject#doAsPrivilieged static methods. For this purpose, we’ll provide a PrivilegedAction where we can protect access to sensitive code. In the run() method, we call the SecurityManager#checkPermission method to ensure that the authenticated user has the test_resource permission:
public class ResourceAction implements PrivilegedAction {
@Override
public Object run() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new ResourcePermission("test_resource"));
}
System.out.println("I have access to test_resource !");
return null;
}
}The last thing is to call the Subject#doAsPrivileged method:
Subject subject = loginContext.getSubject();
PrivilegedAction privilegedAction = new ResourceAction();
Subject.doAsPrivileged(subject, privilegedAction, null);Like the authentication, we’ll run a simple application for the authorization where, in addition to the LoginModule, we provide a permissions configuration file:
$ mvn clean package
$ java -Djava.security.manager -Djava.security.policy=src/main/resources/jaas/jaas.policy \
-Djava.security.auth.login.config=src/main/resources/jaas/jaas.login.config \
-classpath target/core-java-security-2-0.1.0-SNAPSHOT.jar com.baeldung.jaas.JaasAuthorization8. Conclusion
In this article, we have showcased how to implement JAAS by exploring the principal classes and interfaces and showing how to configure them. Especially, we have implemented a service provider LoginModule.
