Software AG Security Infrastructure
Security Infrastructure provides security components for authentication of users, management of roles, and query of user, role, and group information. It works both on client-side applications and on server-side applications. Security Infrastructure is used by many Software AG products and can be used by your own applications.
Security Infrastructure’s basic advantage is the re-use of existing security components. For example, Security Infrastructure supports the same security mechanism for an application that uses a database and another application that uses LDAP directory without any change of code on the application level.
Security Infrastructure is based on login modules, login context, and JAAS configuration files, which in turn are all based on the Oracle JAAS framework.
Login modules are reusable entities that define authentications to perform. Applications can call login modules to authenticate users; verify client certificates; or query user, role, or group information in user repositories. Security Infrastructure provides predefined login modules and OSGi services that you can configure for your environment and desired authentication process. You can also create your own login modules by copying predefined modules and modifying the copies.
You list login modules in login contexts. If you want an application to use more than one login module, you list multiple login modules in a login context.
You define login contexts in a JAAS configuration file. You set up one JAAS configuration file per JVM.
JAAS offers these benefits:
Authentication is independent of applications.
Professional services do not need special know-how to customize and re-use login modules for different authentication schemes.
JAAS accommodates the information for groups and roles in classes derived from java.security.Principal. The Principal interface represents the abstract notion of a Principal that can be any entity, such as an individual, a corporation, and a login ID, while the Subject class represents a grouping of related information for a single entity. Such information includes the Subject's identities, as well as its security-related attributes (passwords and cryptographic keys). If authentication is successful, JAAS creates a Subject that contains one or more Principals with security-related attributes like passwords and cryptographic keys. For example, if a Subject is a person named John, he may have two Principals:
Principal 1 represents John as the citizen of a particular country.
Principal 2 represents John as the employee of a particular company.
Both Principals refer to the same Subject even though they have different names.
The authentication process is as follows:
1. An application instantiates a login context.
2. The login context consults the application configuration (realm) in the JAAS configuration file to load all login modules for the application.
3. The application invokes the login context’s login method to authenticate the user.
4. The login method invokes all loaded login modules as specified in the login context.
5. Each login module tries to authenticate the Subject. If successful, login modules associate relevant Principals and credentials with a Subject object that represents the subject being authenticated. If unsuccessful, login modules throw an exception or the authenticate method returns false.
6. The login context returns the authentication status to the application.
7. If authentication is successful, the application retrieves the Subject from the login context. If not successful, no login occurs and the Subject is empty and does not contain any Principals.
For background information relating to Security Infrastructure, see Java™ Platform, Standard Edition 7 API Specification, Java™ SE 7 Security Documentation, JAAS Reference Guide, JAAS Tutorials, Introduction to JAAS and Java GSS-API Tutorials.