Skip to main content

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

Jetty/Feature/JAAS



Introduction

JAAS implements a Java version of the standard Pluggable Authentication Module (PAM) framework.

JAAS can be used for two purposes:

  • for authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet; and
  • for authorization of users to ensure they have the access control rights (permissions) required to do the actions performed.

JAAS authentication is performed in a pluggable fashion. This permits applications to remain independent from underlying authentication technologies. New or updated authentication technologies can be plugged under an application without requiring modifications to the application itself. Applications enable the authentication process by instantiating a LoginContext object, which in turn references a Configuration to determine the authentication technology(ies), or LoginModule(s), to be used in performing the authentication. Typical LoginModules may prompt for and verify a username and password. Others may read and verify a voice or fingerprint sample.

Feature

Many application servers support JAAS as a means of bringing greater flexibility to the declarative security models of the J2EE( now known as the Java EE) specification. Jetty support for JAAS provides greater alternatives for servlet security, and increases the portability of web applications.

The JAAS support aims to dictate as little as possible whilst providing a sufficiently flexible infrastructure to allow users to drop in their own custom LoginModules.

Configuration

Using JAAS with jetty is very simply a matter of declaring a org.eclipse.jetty.plus.jaas.JAASLoginService, creating a jaas login module configuration file and specifying it on the jetty run line. Let's look at an example.

Step 1

Configure a jetty org.eclipse.jetty.plus.jaas.JAASLoginService to match the <realm-name> in your web.xml file. For example, if the web.xml contains a realm called "xyzrealm" like so:

<login-config>
  <auth-method>FORM</auth-method>
  <realm-name>xyzrealm</realm-name>
  <form-login-config>
    <form-login-page>/login/login</form-login-page>
    <form-error-page>/login/error</form-error-page>
  </form-login-config>
</login-config>

Then the following JAASLoginService would be declared in a jetty configuration file:

    <Call name="addBean">
      <Arg>
          <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
           <Set name="Name">Test JAAS Realm</Set>
           <Set name="LoginModuleName">xyz</Set>
          </New>
      </Arg>
    </Call>
Important.png
Important
The name of the realm-name that you declare in web.xml must match exactly the Name element in your jetty config file.


For your convenience, the Hightide distribution of jetty contains an example configuration file in etc/jetty-jaas.xml.

Step 2

Set up your LoginModule in a configuration file, following the syntax rules:

xyz {
       com.acme.SomeLoginModule required debug=true;
    };
Important.png
Important
It is imperative that the application name on the first line is exactly the same as the LoginModuleName from your jetty config file.


Step 3

You now need to invoke jetty with support for jaas. This involves 3 elements:

  • adding extra jars to jetty's classpath
  • adding the jetty config file with the JAASLoginService declaration to the startup sequence
  • adding the jaas system property java.security.auth.login.config which specifies the location of your login module config file

If you're running the Hightide distribution of jetty, the extra jars will already be on the classpath, so your run line becomes:

java -Djava.security.auth.login.config=mylogin.conf -jar start.jar [myjaas.xml]

Where myjaas.xml is the jetty config file containing the JAASLoginService declaration from step 1. If you modified the provided $JETTY_HOME/etc/jetty-jaas.xml file then this will already be part of the startup sequence, so there is no need to specify it on the run line.

If you're running the standard distribution of jetty, you will need to provide all 3 elements, so the run line becomes:

java -Djava.security.auth.login.config=mylogin.conf -jar start.jar OPTIONS=plus myjaas.xml

Where myjaas.xml is the jetty config file you created in step 1. You might like to edit the start.ini file to add the extra OPTION and the myjaas.xml file to jetty's startup sequence to simplify the command line.

Additional Resources

See Java&tm; Authentication and Authorization Service (JAAS) Reference Guide for more information about JAAS.

Back to the top