JAAS Setup Walkthrough

Few days ago, I was asked to write this article by my friend and classmate Ali Almutawakel. Thanks for this request, I got a lot of fun digging into JAAS.
JAAS stands for Java Authentication and Authorization Service, which is a JVM level security solution for Java applications. That means, in practice, it requires some setups with the platform to get it works. In this article, I will use WildFly as an example application server to demonstrate how it works. The source code that will be using in this article can be found on my github. There is a project I created few days ago called “demo“.

About the Demo Project

Regarding to this project, I want to thank my instructors, Aaron Warsylewicz, John O’Loughlin and Nicole Berard. They contributed their time to inspire me even though this project was not covered by my current program. Without them, I can’t start this article or get the project to work. In my opinion, JAAS by itself, is one of the toughest concept to understand. However, in this article, I’ll skip all the lower level details*, and directly jump into the practice.
To run this project, you need to download and import the source code to Eclipse, and run it on a WildFly application server along with a database (scripts for MySQL and Oracle are provided). You can download some tools to test against the RESTful Web Services, or you can just run the JUnit tests.
If you check my database script in the project, you will find 3 tables. They are a User table, a Group table, and a bridging table. This structure is very common and works well with JAAS. Notice that, although I have a persistence layer and all the entities, JAAS will not use them in this particular project with my settings.

Setting Steps

There are 3 steps to get JAAS working properly:

  1. configure the Application Server
  2. configure the project
  3. add annotations to your code (or you can do it in a programmatic way)

Configure the Application Server

To configure the security settings on WildFly in order to read credentials from database, you need to setup a data source for your database connection first. You can set all the configurations through the web console, or by changing the configuration file.
Web console solution:

  1. Login to WildFly web console (localhost:9990)
  2. Go to Configuration / Subsystem / Security
  3. Add a security domain. The name of the security domain will be used later in jboss-web.xml
  4. Open the security domain. Within the Authentication view, click Add to add an authentication module
  5. Click on Edit to edit the properties of this module (module option key value pairs).
Configuration File:
<security-domain name="demo" cache-type="default">
        <login-module code="Database" flag="required">
            <module-option name="dsJndiName" value="java:/DemoDS" />
            <module-option name="principalsQuery"
                value="select password from demo_user where name=?" />
            <module-option name="rolesQuery"
                value="select g.name, 'Roles' from demo_user u, demo_group g, demo_user_group ug where u.name=? and u.id=ug.user_id and g.id=ug.group_id" />
            <module-option name="hashAlgorithm" value="SHA-256"/>
            <module-option name="hashEncoding" value="BASE64"/>
            <module-option name="ignorePasswordCase" value="true"/>
            <module-option name="hashStorePassword" value="false"/>
            <module-option name="hashUserPassword" value="true"/>
There are few example security domains in the configuration file by default. So, it shouldn’t be difficult to find where to insert the above configuration. You can also check out my README.txt for configuring the application server.
This is the only section that really depends on the which application server you are using. However, most of them shares similar concepts. In addition, you can also create your own authentication mechanism, and setup in the application server.

Configure the Project

Project configurations for JAAS is pretty straight forward. However, knowing the limitations of it would be helpful when building your own applications. There are 2 files (for WildFly and JBoss) to be edited: web.xml and jboss-web.xml.


In web.xml, there are 3 tags and their sub tags you need to manage in order to get JAAS configured within your project. Since you’ve configured the security domain in your application server, JAAS is already sitting there for you to use. So, you don’t have to configure the project to get the user principals. You can programmatically do the authentication and authorization with the user principals. In other words, you will be able to use annotations to automate the authentication and authorization processes.

This tag allows you to apply authentication process by specifying which web resource you want to constraint with what roles. A more general constraint will be overridden by the more specific constraints. For example: in the web.xml file of my project, the constraint “protected” will be applied to all urls with a pattern of /rest/*, except the put method for /rest/user/*, which is using the constraint “public”. In addition, if you don’t specify a role, then everyone can access.

Within this tag, you can config what method is used to do the authentication. BASIC can be a good choice for RESTful Web Services. However, since the password is not asked to be encrypted, you need SSL to encrypt the user credential. (SSL will not only encrypt the user credential but mostly everything, which is nice. But you need a dedicated IP to enable it. Check this article for details)

You can list all the roles (or I call “groups” in my project based on the database structure). These roles are used to associate with the authorizations by annotating them in your code. However, there are pros and cons for doing this. When there are a lot of changes with the security constraints or the security roles, hard configuring them is not a nice way that you want to go.

Personal experience
I had a project which the roles and constraints were constantly changing. For example, the accessibility of each level admin changed every few months, new roles were added, old roles were removed. In that case, since we didn’t predict this requirement, the web.xml configurations locked down all the roles and constraints, we lost the flexibility to change them within java code. To fix it (and meet the deadline), we actually made the program to rewrite the web.xml file. Because of that, every time the system applied new roles and constraints, the server had to restart to apply the changes. That was a disaster in my opinion. So, to know what the clients really need (not only what they say), and choose an appropriate approach is always critical to a complex system.


jboss-web.xml is an JBoss/WildFly extension of web.xml file. If you see this file in my project, you’ll find it’s very straight forward, which only contains the name of the security domain.

Add Annotations

The Java security annotations are fairly simple. You add them to method level (code example) in different layers. It means, you don’t only take control of the security in your RESTful Web Services, but also the business logic layer or even persistent layer (code example).
There are 3 annotations being used mostly: javax.annotation.security.DeclareRoles, javax.annotation.security.PermitAll, javax.annotation.security.RolesAllowed. You can find them in the code examples.

Programmatic Approach

Unlike to apply annotations, you can do the authorization programmatically without configuring roles and constraints in web.xml file. To do that, you need to know if the caller is in a particular role, or you may also want to get caller principle from SessionContext.
* For more details about JAAS theory, there is an unpublished book JAAS in Action you can look into.

This blog may not be up to date. Please see the original post from Blogger http://ift.tt/2ec1QOa
via IFTTT.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s