Security-Jaas

2

Jaas Security

The JaasSimpleAuthenticationProvider is a security provider that provides

a way to interact with the Jaas Authentication Service.

The security provider for Jaas can be configured in a couple of different

ways. It allows you to configure Jaas either by passing to the provider a

Jaas configuration file or by passing the required attributes directly to the

JaasSimpleAuthenticationProvider. These two configuration methods are

described below.

3

Jaas Configuration

Using the Jaas Configuration File

Usually, JAAS authentication is performed in a pluggable fashion, so applications can remain independent from underlying authentication technologies.

jaasTest{ org.mule.module.jaas.loginmodule.DefaultLoginModule required credentials="anon:anon;Marie.Rizzo:dragon;"};

4

The above example was saved in a file called jaas.conf. This file contains just one entry called com.ss.jaasTest, which is where the application we want to protect can be found. The entry specifies the login module that's used to authenticate the user. As a login module, you can either use Mule's DefaultLoginModule, one of the login modules that come with Sun, or else create your own. In this case, we have opted for Mule's DefaultLoginModule.

5

The required flag that follows the login module specifies that the login module must succeed for the authentication to be considered successful. Additional flags are:

Required - The login module is required to succeed. If it succeeds or fails, authentication still continues to proceed down the login module list.

Requisite - The login module is required to succeed. If it succeeds, authentication continues down the login module list. If it fails, control immediately returns to the application.

Sufficient - The login module is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the login module list). If it fails, authentication continues down the login module list.

Optional - The login module is not required to succeed. If it succeeds or fails, authentication still continues to proceed down the login module list.

6

The entry also specifies the credentials, in which we put a string of authorized users together with their passwords. The credentials are put here only when the DefaultLoginModule is going to be used, as the method in which the user names and passwords are obtained may vary from one login module to another.

The format of the credentials string must adhere to the following format if the DefaultLoginModule is going to be used:

<username>:<password>;

7

Configuring the Provider in the Mule Configuration File

<mule xmlns="http://www.mulesource.org/schema/mule/core/3.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaas="http://www.mulesource.org/schema/mule/jaas/3.2" ...cut...

<jaas:security-manager> <jaas:security-provider name="jaasSecurityProvider" loginContextName="jaasTest" loginConfig="jaas.conf"/> </jaas:security-manager>