Java Authentication Service Provider Interface for Container is the JSR196 Specification.
It allows Containers to delegate security authentication decisions to external providers. There are 4 integration points to plug in security providers in the request stream - two on the client side and two on the server side.
Client integration points are secureRequest and validateResponse, whereas the server integration points are validateRequest and secureResponse.
The following is a simplified diagram of the JSR196 Authentication Process:
In the current version of the specification, there is support for Http Requests as well as SOAP messages. But the concept of AuthParam can be extended to include JMS, JCA requests also.
JSR-196 ServerAuthModules and JAAS LoginModules Relationship:
A ServerAuthModule can create an instance of javax.security.auth.login.LoginContext(In the constructor, it can pass javax.security.auth.login.Configuration instance and a custom name input. In the constructor,if a Subject is passed, then it should be a reference to the source Subject )
In the validateRequest method, a call is made to LoginContext.login
If the ServerAuthModule did not pass a Subject as part of the LoginContext construction, then it can retrieve the Subject created by the LoginContext via LoginContext.getSubject method and then plugin the Principals/Credentials into its own Source subject.
ServerAuthModule.disposeSubject will invoke the LoginContext.logout method.
If the LoginContext throws an exception, it can be chained to a AuthException by the ServerAuthContext.
The ServerAuthConfig and ClientAuthConfig operate at the message layer level. So basically there is one authconfig for the web container (http) and the soap container (ofcourse extensions involve ejb, jms, jca containers etc). Since these config objects have knowledge of the target applications and the authmodules associated - the way the AuthConfig get tied to a stack of authmodules is via application level configuration of the security domain.
An additional security domain variant can be the following: java:jauth/security-domain
in addition to the existing java:jaas/security-domain
Remember this security domain configuration happens at the webapp level, webservice deployment level, ejb-jar level etc...
There is a need for new JSR196 AuthModule configuration, similar to the login-config.xml style.
Reuse the javax.security.auth.Subject specified by the JSR196 specification or use a custom holder class for the Identity information(Principals, Credentials etc).
Design Forum Discussion:
Associated Wiki Pages: