Balancing openness and security is
complicated when you’re writing applications that users outside
your company’s normal network sandbox must be able to access or
that access resources needing security protection.

Many Java programmers create their own security
modules for their applications. Most of these modules are for a
specific application; then, when the next app comes along that
needs security, the programmer has to start all over again. Another
drawback of building your own security system for your application
is that, as the application becomes more complex, the security
requirements probably will too.

Java Authentication and Authorization

You can avoid this problem (or at least
significantly reduce the impact of implementing security for your
application) by taking advantage of the Java Authentication and
Authorization Service (JAAS) API, which is in the standard Java

JAAS provides the ability to implement the two
things that any decent security system needs: authentication and

  • Authentication means verifying a user’s identity. There are ways to
    achieve this by using different mechanisms, including certificates,
    existing authentication schemes, databases, etc. The authentication
    section of JAAS is pluggable, so you configure your application at
    runtime to use the authentication module you desire.
  • The
    authorization component of JAAS determines which resources an
    authenticated user can access. This authorization scheme is based
    on roles and principles.

Developers can use JAAS for standalone
applications, Web apps, EJBs, and pretty much any type of Java app
that you can create. The flexibility and openness of the API can
make it a bit difficult to understand at first. But if you’re using
an application server, it probably already has JAAS modules that
you can use to manage your application’s security.

The next time you need security in your
application, consider whether JAAS can save you time and effort. If
you’re already using a J2EE or servlet container, check out its
JAAS capabilities. Even though JAAS has a steep learning curve,
it’s also a very short one, and the benefits are definitely worth
the effort it takes to get started.

Delivered each Thursday, our free Java newsletter provides insight and hands-on tips you need to unlock the full potential of this programming language. Automatically sign up today!