Java Authentication and Authorization Service - Login Modules

Login Modules

Login modules are primarily concerned with authentication rather than authorization and form a widely used component of JAAS. A login module is required to implement the javax.security.auth.spi.LoginModule interface, which specifies the following methods:

Note: A Subject is the user that is attempting to log in.

  • initialize: Code to initialize the login module, usually by storing the parameters passed into appropriate fields of the Class.
  • login: Actually check the credentials provided via an Object that implements the javax.security.auth.Callback interface (e.g. check against a database). This method could prompt the user for their login and password or it could use details previously obtained. It is important to note here that, if invalid credentials are supplied then a javax.security.auth.login.FailedLoginException should be thrown (rather than returning false, which indicates that this login module should be ignored, which potentially allows authentication to succeed).
  • commit: The identity of the subject has been verified, so code in this method sets up the Principal and Groups (roles) for the successfully authenticated subject. This method has to be written carefully in enterprise applications as Java EE application servers often expect the relationships between the Principal and Group objects to be set up in a certain way. This method should throw a javax.security.auth.login.FailedLoginException if authentication fails (e.g. a user has specified an incorrect login or password).
  • abort: Called if the authentication process itself fails. If this method returns false, then this Login Module is ignored.
  • logout: Code that should be executed upon logout (e.g. could remove the Principal from the Subject or could invalidate a web session).

Login modules can provide single sign on (SSO) via a particular SSO protocol/framework (e.g. SAML, OpenID, and SPNEGO), can check for the presence of hardware security tokens (e.g. USB token), e.t.c. In an n-tier application, Login Modules can be present on both the client side and server side.

Read more about this topic:  Java Authentication And Authorization Service