× Please, log in to give us a feedback. Click here to login

You must be logged to download. Click here to login


MrBool is totally free and you can help us to help the Developers Community around the world

Yes, I'd like to help the MrBool and the Developers Community before download

No, I'd like to download without make the donation


MrBool is totally free and you can help us to help the Developers Community around the world

Yes, I'd like to help the MrBool and the Developers Community before download

No, I'd like to download without make the donation

How to use JAAS for web application security

In this article we will talk about the usage of JAAS (Java Authentication and Authorization Service) for upgrade the security of web applications.

Security is one of the main aspects in web applications. So the success of web application depends on the security implementation also. And for mission critical applications, security aspect has to be implemented and tested before it goes into production. Earlier days, security aspects were simple enough and developers code them following simple rules and validations. But nowadays more care has to be taken to make it a secure application. In this article we will discuss different security aspects and their implementation details.

Java authentication and authorization service (JAAS) is a revolution in security domain. This is widely accepted in all java and j2ee enterprise applications. JAAS is basically a java based authentication and authorization API. The API exposes a set of interfaces and configuration for application use. Using these features, any web application can be secured and make production ready. But the use of JAAS or any custom module depends upon the application requirement.

Before we discuss the details, we must know about the containers. A container can be defined as an environment (software environment) in which an application runs. Apart from running applications, container also has different other functionalities but we will discuss those in a separate article. The term 'container' is synonymous with a J2EE application server. It is also know as J2EE container. So the next question is, why do we need a container? Basically container provides all necessary services required to run the application smoothly and function properly. There are a number of J2EE containers available in the market and they provide different levels of support. But the container must follow the J2EE specification, may be partially or completely. Like tomcat is a web container, which only implements the servlet portion of the J2EE specification. Where as weblogic, websphere, JBoss are complete application server as they followed the complete J2EE specification.

Application Security

In this article we will mainly concentrate on application security. Before we move forward, we should have a clear understanding about the application security. Application security can be defined as a security mechanism implemented by the application itself to make it secure. The application can also take the help of a framework or application server features to implement it successfully. After implementing the security the application becomes secure from its users. If we consider from application perspective, then it is the responsibility of the developer to follow proper steps and decide on the security implementation details. There are many other types of security implementations also like network security, JVM security, application server security and many more. But our scope of discussion is limited to application security side only. Our focus in this discussion will be specifically on J2EE security features and its users. The access, authentication and authorization will be a part of application security implementation. The java feature JAAS will take care of all these issues.

Application Security Functions

As we are discussing the application security, we will first take a look at the following five main functions which are generally considered during the implementation.

  • Authentication (Used to authenticate the user)
  • Authorization (Check what logged in user can do)
  • Registration (Register new user)
  • Account maintenance (Which includes creating, updating etc)
  • Account delete or inactivate (This is for user removal)

In general all applications do not follow all the above points. They might implement a sub set of the functions OR they might select some of them as per their need. But these are the basic fundamental functions which need to be considered during application security implementation.

JAAS Authentication

Java Authentication and Authorization Service (JAAS) is a standard framework for authenticating any users of any application. The application can be an enterprise application, web application or any standalone application. The most important part is the configuration files used in JAAS framework. The configuration file specifies the implementation of a set of standard interfaces and these are called to authenticate the user. In JAAS framework, the credential realization and its authentication happens inside the implementation of those standard JAAS interfaces. It includes the following interfaces.

  • Callback interface
  • CallbackHandler
  • LoginModule

The functions of Callback interfaces are to retrieve the user credentials and the function of LoginModule is to verify user's credentials and allow it to login or redirect to login failed message page.

The implementation of JAAS is different for standalone and other applications. In a typical standalone application, the Callback handler interface retrieves the credentials and LoginModule interface authenticate the credentials. And the user details are generally stored in a persistent store like database, local file system or LDAP directory. But when the application is deployed in a container then the mechanism is a bit different. The JAAS framework must communicate with the container to get its services related to authentication and authorization. The JAAS LoginModule is written with the use of container specific APIs. The container specific APIs are responsible for authenticate credentials. The container specific APIs perform the following two tasks.

  • Credential Realization
  • Credential Authentication

The JAAS framework communicates with the container specific APIs with a single method call and passes the user details. After that the rest of the work is performed by the container. But this implementation varies from one container to another.

We must understand that JAAS is a framework which supports authentication and authorization mechanism. There are lot of other frameworks which does this automatically. But in JAAS, the developer has to write container specific code to call container APIs. So the custom JAAS code has to be written to implement authentication and authorization process. Nowadays some containers has JAAS implementation support and it is built in. But still the developer has to write code to implement JAAS completely.

In the following example we will see a standard JAAS container authentication. The CallbackHandler handles the user input and then the handle () method performs the actual task.

Listing 1: Sample code showing the implementation

package com.mrbool.jaas;

import java.io.IOException;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;

public class MrBOOLCallbackHandler implements CallbackHandler 
    // Define basic user details like user name and password
    private String uname;
    private String pwd;
    // Call constructor with user name and password
    public MrBOOLCallbackHandler(String uname, String pwd) 
        this.uname = uname;
        this.pwd = pwd;
    // This method is used to perform the actual task
    public void handle(Callback[] callbacks) throws IOException,
        // Write application sepcific implementation code
    // Getter method to get user name
    public String getUname() 
        return uname;
    // Getter method to get password
    public String getPword() 
        return pwd;

In the following example we will look into the login module and its implementation.

Listing 2: Sample showing login module

package com.mrbool.jaas;

import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.spi.LoginModule;

public class MrBOOLLoginModule implements LoginModule {

    // Define variables
    private Subject sub;
    private CallbackHandler handlr;
    private Map shrState;
    private Map opts;

    // Initialize the variables
    public void initialize(Subject sub, CallbackHandler handlr,
            Map shrState, Map opts)
        this.sub = sub;
        this.handlr = handlr;
        this.shrState = shrState;
        this.opts = opts;

    // Authenticate user in login module
    public boolean login() throws LoginException
        MrBOOLCallbackHandler handlr = (MrBOOLCallbackHandler) this.handlr;

        // Authenticate the user
        return ContainerAuthMethod.authenticate

    // Commit the operation
    public boolean commit() throws LoginException
        return true;

    // Abort the operation
    public boolean abort() throws LoginException
        return ContainerAuthMethod.logout(handlr.getUsername(),

    // Logout from the application
    public boolean logout() throws LoginException
        return ContainerAuthenticationMethod.logout(handlr.getUsername(),


Before concluding our discussion on security and JAAS implementation, we must understand that selecting a proper security framework/ module depends upon the application requirement. If there is need for custom authentication then some time developers use custom modules (without using JAAS or any other solutions available in the market). But as we have said that JAAS provides the entire framework, we get readily available structure. The work of the developer is to code the custom part only which varies from one application to another.

Website: www.techalpine.com Have 16 years of experience as a technical architect and software consultant in enterprise application and product development. Have interest in new technology and innovation area along with technical...

What did you think of this post?
To have full access to this post (or download the associated files) you must have MrBool Credits.

  See the prices for this post in Mr.Bool Credits System below:

Individually – in this case the price for this post is US$ 0,00 (Buy it now)
in this case you will buy only this video by paying the full price with no discount.

Package of 10 credits - in this case the price for this post is US$ 0,00
This subscription is ideal if you want to download few videos. In this plan you will receive a discount of 50% in each video. Subscribe for this package!

Package of 50 credits – in this case the price for this post is US$ 0,00
This subscription is ideal if you want to download several videos. In this plan you will receive a discount of 83% in each video. Subscribe for this package!

> More info about MrBool Credits
You must be logged to download.

Click here to login