Java Authentication and Authorization Service


Java Authentication and Authorization Service (JAAS), pronounced "Jazz", is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework and is a Authentication Method

Java Authentication and Authorization Service was introduced as an extension library to the Java Platform, Standard Edition 1.3 and was integrated in version 1.4.

The main goal of JAAS is to separate the concerns of user authentication so that they may be managed independently. While the former authentication mechanism contained information about where the code originated from and who signed that code, JAAS adds a marker about who runs the code. By extending the verification vectors JAAS extends the security architecture for Java applications that require authentication and authorization modules.

The Java platform defines a set of APIs spanning major security areas, including cryptography, public Key Infrastructure, authentication, secure communication, and access Control. These APIs allow developers to easily integrate security into their application code.

Note: Historically, as new types of security services were added to the Java platform (sometimes initially as extensions), various acronyms were used to refer to them. Since these acronyms are still in use in the Java security documentation, here is an explanation of what they represent: JSSE (Java Secure Socket Extension) refers to the SSL-related services, Java Cryptography Extensions (JCE) refers to cryptographic services (Section 4), and JAAS refers to the authentication and user-based Access Control Services.


The JavaTM Authentication and Authorization Service (JAAS) was introduced as an optional package (extension) to the JavaTM 2 SDK, Standard Edition (J2SDK), v 1.3. JAAS was integrated into the J2SDK 1.4.

Java Authentication and Authorization Service doesn’t directly associate a user’s identities with a Digital Subject. Instead, a Principal holds onto any number of Digital Subjects. In the simplest sense, a Principal is an Digital Subject. Thus, a Principal can be thought of as a container for all of Digital Subject's identities, similar to how your wallet contains all of your id cards: driver’s license, social security, insurance card, or pet store club card. For example, a Principal could be:

  • The user "jsmith" which is John Smith’s login for the server.
  • Employee number #4592 which is John Smith’s employee number.
  • John’s Social Security number which is used by the HR department.

Each of these identity Principal is associated with John Smith and, thus, once John authenticates with the JAAS-enabled system, each Principal is associated to his Digital Subject.

We will use Digital Subject and Principal as the same.

Services Provided#

Java Authentication and Authorization Service can be used for two purposes:
  • for authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet
  • for authorization of users to ensure they have the access control rights (permissions) required to do the actions performed.

JAAS implements a Java version of the standard Pluggable Authentication Module (PAM) framework. See Making Login Services Independent from Authentication Technologies for further information.

Traditionally Java has provided codesource-based access controls (access controls based on where the code originated from and who signed the code). It lacked, however, the ability to additionally enforce access controls based on who runs the code. JAAS provides a framework that augments the Java security architecture with such support.

Pluggable Authentication#

JAAS authentication is performed in a pluggable fashion. This permits applications to remain independent from underlying authentication technologies. New or updated authentication technologies can be plugged under an application without requiring modifications to the application itself. Applications enable the authentication process by instantiating a LoginContext object, which in turn references a Configuration to determine the authentication technology(ies), or LoginModule(s), to be used in performing the authentication. Typical LoginModules may prompt for and verify a username and password. Others may read and verify a voice or fingerprint sample.

Once the user or service executing the code has been authenticated, the JAAS authorization component works in conjunction with the core Java SE access control model to protect access to sensitive resources.

Unlike in the J2SDK 1.3 and earlier, where access control decisions are based solely on code location and code signers (a CodeSource), in the J2SDK 1.4 access control decisions are based both on the executing code's CodeSource and on the user or service running the code, who is represented by a Digital Subject object. The Digital Subject is updated by a LoginModule with relevant Principal and credentials if authentication succeeds.

More Information#

There might be more information for this subject on one of the following: