Logo F2FInterview

Security Interview Questions

Q   |   QA

  • JAAS is the Java Authentication and Authorization Service bundled in Java SE.
  • JAAS can be used to provide user management and permissioning.
  • The authorization service allows you to "log in" a user and specify which "identities" a logged in user has.
  • The authentication system allows you to specify which permissions a user's identity has and then check for that permission before executing any Java code.

  • Java security technology includes a large set of APIs, tools, and implementations of commonly used security algorithms, mechanisms, and protocols.
  • The Java security APIs span areas like cryptography, public key infrastructure, secure communication, authentication, and access control.
  • Java security technology provides the developer with a comprehensive security framework for writing applications, and also provides the user or administrator with a set of tools to securely manage applications.

JAAS authentication:

  • JAAS authentication is deployed in a pluggable manner, using code modules that implement certain interfaces.
  • This enables Java applications to remain decoupled from the underlying authentication technologies.
  • Additional authentication protocols and updated authentication technologies can be plugged in at runtime without modifying the application or recompiling the source code.
  • The JAAS Authentication API is quite extensive and includes the following key interfaces and classes:
    • Callback
    • CallbackHandler
    • LoginContext
    • LoginModule
    • Principal
    • Subject

JAAS Authorization:

  • JAAS authorization is built on top of JAAS authentication. It augments the existing code-centric access controls with new user-centric access controls. In this way,
  • After a user has been authenticated by JAAS, the authorization API associates the Subject with an appropriate access control context.
  • Whenever the Subject attempts a restricted operation, the Java runtime consults the policy file to determine which Principal(s) may perform the operation.
  • If the Subject in question contains the designated Principal, the Java runtime allows the operation. Otherwise, it throws an exception. 

The code for authenticating the user consists of two steps:

Instantiate a LoginContext.

import javax.security.auth.login.*;
LoginContext logconx = new LoginContext(<config file entry name>,
<CallbackHandler to be used for user interaction>);

The LoginContext instantiates a new empty javax.security.auth.Subject object.
The LoginContext constructs the configured LoginModule and initializes it with this new Subject and CallbackHandler.

Call the LoginContext's login method.

logconx.login();

The LoginContext's login method then calls methods in the LoginModule to perform the login and authentication. They LoginModule will utilize the CallbackHandler to obtain the user name and password. Then the LoginModule will check that the name and password are the ones it expects. 

JAAS Authorization:

  • JAAS authorization is built on top of JAAS authentication. It augments the existing code-centric access controls with new user-centric access controls. In this way,
  • After a user has been authenticated by JAAS, the authorization API associates the Subject with an appropriate access control context.
  • Whenever the Subject attempts a restricted operation, the Java runtime consults the policy file to determine which Principal(s) may perform the operation.
  • If the Subject in question contains the designated Principal, the Java runtime allows the operation. Otherwise, it throws an exception.

In order to link this F2FInterview's page as Reference on your website or Blog, click on below text area and pres (CTRL-C) to copy the code in clipboard or right click then copy the following lines after that paste into your website or Blog.

Get Reference Link To This Page: (copy below code by (CTRL-C) and paste into your website or Blog)
HTML Rendering of above code: