Contact Us 1-800-596-4880

JAAS Security

The JaasSimpleAuthenticationProvider is a security provider that interacts with the Java as a Service (JAAS) Authentication Service.

You can configure the security provider for JAAS by passing to the provider either a JAAS configuration file or the required attributes directly to the JaasSimpleAuthenticationProvider. These two configuration methods are described below.

Using the JAAS Configuration File

Usually, JAAS authentication is performed in a pluggable fashion, so applications can remain independent from underlying authentication technologies.

jaasTest{
   org.mule.module.jaas.loginmodule.DefaultLoginModule required
   credentials="anon:anon;Marie.Rizzo:dragon;"
};

The above example is saved in a file called jaas.conf. This file contains just one entry called com.ss.jaasTest, which is where the application we want to protect can be found. The entry specifies the login module that is used to authenticate the user. As a login module, you can either use Mule’s DefaultLoginModule, one of the login modules that come with Sun, or else create your own. In this case, we have opted for Mule’s DefaultLoginModule.

The required flag that follows the login module specifies that the login module must succeed for the authentication to be considered successful.

Additional flags are:

  • Required - The login module is required to succeed. If it succeeds or fails, authentication still continues to proceed down the login module list.

  • Requisite - The login module is required to succeed. If it succeeds, authentication continues down the login module list. If it fails, control immediately returns to the application.

  • Sufficient - The login module is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the login module list). If it fails, authentication continues down the login module list.

  • Optional - The login module is not required to succeed. If it succeeds or fails, authentication still continues to proceed down the login module list.

The entry also specifies the credentials, in which we put a string of authorized users together with their passwords. The credentials are put here only when the DefaultLoginModule is going to be used, as the method in which the user names and passwords are obtained may vary from one login module to another.

The format of the credentials string must adhere to the following format for DefaultLoginModule:

<username>:<password>;

Configuring the Provider in the Mule Configuration File

<mule xmlns="http://www.mulesource.org/schema/mule/core/2.2"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:jaas="http://www.mulesource.org/schema/mule/jaas/2.2"
       ...cut...

    <jaas:security-manager>
        <jaas:security-provider name="jaasSecurityProvider" loginContextName="jaasTest" loginConfig="jaas.conf"/>
    </jaas:security-manager>

The loginContextName contains the same name of the entry as in the Jaas configuration file. This name is used for creating the login context as well as to find the complete URL of the jaas.conf file.

Passing the Credentials Directly to the Provider

The second option for the configuration of the JaasSimpleAuthenticationProvider is to pass the configuration details that would otherwise be found in the JAAS configuration file directly to the provider.

<jaas:security-manager>
    <jaas:security-provider name="jaasSecurityProvider" loginContextName="jaasTest" credentials="anon:anon;Marie.Rizzo:dragon;"/>
</jaas:security-manager>

In the above configuration, note that we removed the property loginConfig and don’t need to pass any Jaas configuration file. Instead, we simply pass the credentials to the provider (using the same format as specified above). Since no login module is specified, the DefaultLoginModule is used.

Passing a Non-default Login Module

The third option is to enter your own login module.

<jaas:security-manager>
    <jaas:security-provider name="jaasSecurityProvider" loginContextName="jaasTest" loginModule="com.sun.security.auth.module.NTLoginModule"/>
</jaas:security-manager>

In the above configuration, we have added the loginModule property, which allows you to specify the login module you want to use to authenticate the user. Since the NTLoginModule does not require you to input a list of accepted usernames and passwords, the property for the credentials was removed.

Configuring the Security Filter on an Endpoint

You can use JaasSecurityFilter as a security filter, as follows:

<inbound>
    <inbound-endpoint address="vm://test">
        <jaas:jaas-security-filter/>
    </inbound-endpoint>
</inbound>

JAAS Module Reference

This module provides security via JAAS.

Security manager

This is the security provider type that is used to configure JAAS related functionality.

Attributes of <security-manager…​>

Name Type Required Default Description

Child Elements of <security-manager…​>

Name Cardinality Description

security-provider

0..1

This is the security provider type that is used to configure JAAS related functionality.

password-encryption-strategy

0..*

Security provider

This is the security provider type that is used to configure JAAS related functionality.

Attributes of <security-provider…​>

Name Type Required Default Description

loginContextName

string

yes

credentials

string

no

loginConfig

string

no

loginModule

string

no

Child Elements of <security-provider…​>

Name Cardinality Description

Jaas security filter

Authenticates users via JAAS.

Child Elements of <jaas-security-filter…​>

Name Cardinality Description