Concept behind how java clients authenticate with JEE server like weblogic, jboss etc

Question

I have been going through lot of documentation to understand what is the standard way (if there is any) in which the java client authenticates themselves with the applications deployed on server container like weblogic, jboss etc. After reading about JAAS & JNDI authentication documentation for weblogic, I am able to understand the flow, but no documentation answers the below queries

1. Are JAAS and JNDI the only available methods for authenticating java clients ?

   • What I understood so far is, that each application server can provide its own abstraction layer to perform authentication, for example OPSS in weblogic, but eventually they all depend on native authentication methods available in JEE framework. Please point out if this assumption is not correct.

2. The confusion is greatly amplified as some article mention that JAAS security doesn't exists in JEE. Is that valid for java 7+ too?

   • The oracle weblogic documentation I have been going through clearly states JNDI & JAAS as the standard authentication approaches, and even goes to the extent to specifying JAAS as being preferred over JNDI authentication. https://docs.oracle.com/cd/E28280_01/web.1111/e13711/fat_client.htm#SCPRG225/

Answer 1

Here is clarification I got based on the material read during last two days.

Most basic thing - All application servers provided provide an identity store, that can store users & groups. Applications can refer to this identity store, as when it is deployed on the server.

A Caller or User is an individual named identity defined in an identity store. https://dzone.com/refcardz/getting-started-java-ee?chapter=1

• How the applications execute authentication?

Based on pure JEE framework, the authentication methods can be classified based on the type of application it secures:

1. Web Application Authentication

   • Declarative: We use either deployment descriptors or @annotations to specify these authentication enablers: a. Which options to use for rendering authentication i.e. basic (browser popup), custom form, SSL, etc. b. Which resources(URL patterns) need authentication and authorization. c. Which users or roles (via groups) are permitted authentication or authorization.

   • Programmatic Here we make use of security methods() in built in interface HttpServletRequest.

The application(e.g. servlet) call following methods to instigate authentication from within an "unconstrained" resource.

a. request. Authenticate: A login box pops up to collect credentials.

b. request. login: This methods takes login/password without the pop

c. request. logout: Resets the user/caller identity

There are several other methods also available, that provides more details of the authenticated user like isUserInRole(whether it's in given role), GetRemoteUser(gives user name), etc.

2. EJB Authentication

How EJBs are authenticated?? EJBs are can also be secured in the same way, as web based apps. i.e. Either with Declarative or programmatic security. Some caveats to this statement, but those are not relevant to current discussion.

• So why do we need JAAS, and what is JAAS?

To appreciate this, let's understand a practical scenario for any:

An application may have multiple authentication requirements e.g. password, certificate, authentication users from multiple security realms, perimeter authentication, etc. Do we have to code so much for every application, and type of authentication? Now, it can be cumbersome and complex create & maintain code for authenticating users based on these different techno-business requirements.

To address above situation, there has to be a Pluggable way to writing code for authentication, wherein, developers would only be responsible for mentioning(not coding) which AuthenticationProvider has to be used, and writing code to call the loginModule of that particular provider, which eventually has code to authenticate the given user/caller.

This framework of providing pluggable authentication is called Pluggable Authentication Module in LDAP world. "JAAS" is java implementation of PAM framework. With JAAS, either updated, or additional authentication technologies can be plugged under an application, without modifying the application code as such.

After Authentication, JAAS also enforces authorization.

JEE provides libraries to implement JAAS in applications!

• Is JAAS implemented in same way across different enterprise application servers like Weblogic, JBoss, etc.

Well, "It can be", "but is usually not" implemented in same way across different application servers.

This is because application server may provide its own libraries, which can be used to implement JAAS.

Hope this clarifies the JEE security model to folks who do not have development background.