What is JAAS?
JAAS provides a pluggable framework for authenticating and authorising users (more information is available on the JAAS pages @ Sun Developer Network). Many application servers support JAAS as a means of bringing greater flexibility to the declarative security models of the J2EE (now known as the Java EE) specifications. Whilst intentionally not a full-blown application server, jetty6 supports JAAS to provide greater alternatives for servlet security, and to increase the portability of web applications.
The JAAS support aims to dictate as little as possible whilst providing a sufficiently flexible infrastructure to allow users to drop in their own custom LoginModules. We will discuss how to configure jetty6 for JAAS, and describe the example LoginModules provided with the distribution.
Using JAAS with jetty is very simply a matter of declaring a
org.mortbay.jetty.plus.jaas.JAASUserRealm, creating a jaas login module configuration file and specifying it on the jetty run line. Let's look at an example.
Configure a jetty6
org.mortbay.jetty.plus.jaas.JAASUserRealm to match the
<realm-name> in your
web.xml file. For example, if the
web.xml contains a realm called
Then the following
JAASUserRealm would be declared in a jetty configuration file:
Set up your LoginModule in a configuration file, following the syntax rules:
Invoke jetty with the jaas configuration file you created in step 2:
A Closer Look at the JAASUserRealm
To allow the greatest degree of flexibility in using JAAS with web applications, the
JAASUserRealm supports a couple of configuration options. Note that you don't ordinarily need to set these explicitly, as jetty has defaults which will work in 99% of cases. However, should you need to, you can configure:
- a policy for role-based authorization (Default: org.mortbay.jetty.plus.jaas.StrictRoleCheckPolicy)
- a CallbackHandler (Default: org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler)
- a list of classnames for the Principal implementation that equate to a user role (Default: org.mortbay.jetty.plus.jaas.JAASRole)
Here's an example of setting each of these (to their default values):
RoleCheckPolicy must be an implementation of the
org.mortbay.jetty.plus.jaas.RoleCheckPolicy interface and its purpose is to help answer the question "is User X in Role Y" for role-based authorization requests. The default implementation distributed with jetty is the
org.mortbay.jetty.plus.jaas.StrictRoleCheckPolicy, which will assess a user as having a particular role iff that role is at the top of the stack of roles that have been temporarily pushed onto the user or if the user has no temporarily assigned roles, the role is amongst those configured for the user.
Roles can be temporarily assigned to a user programmatically by using the
pushRole(String rolename) method of the
For the majority of webapps, the default
StrictRoleCheckPolicy will be quite adequate, however you may provide your own implementation and set it on your
A CallbackHandler is responsible for interfacing with the user to obtain usernames and credentials to be authenticated.
Jetty ships with the
org.mortbay.jetty.plus.jaas.DefaultCallbackHandler which interfaces the information contained in the request to the Callbacks that are requested by LoginModules. You can replace this default with your own implementation if you have specific requirements not covered by the default.
Role Principal Implementation Class
When LoginModules authenticate a user, they usually also gather all of the roles that a user has and place them inside the JAAS Subject. As LoginModules are free to use their own implementation of the JAAS Principal to put into the Subject, jetty needs to know which Principals represent the user and which represent his/her roles when performing authorization checks on
<security-constraint>s. The example LoginModules that ship with jetty all use the
org.mortbay.jetty.plus.jaas.JAASRole class. However, if you have plugged in some other LoginModules, you must configure the classnames of their role Principal implementations.