Hitachi

uCosminexus Application Server Security Management Guide

5.2.3 Overview of Java Authentication and Authorization Service (JAAS)-based user authentication

Traditionally, unique interfaces have been designed to invoke the user authentication mechanism of business systems through the Web. The Web business services built from scratch by using JavaEE technologies have also used unique authentication mechanisms provided by application servers. These interface differences have been a major hurdle in integrating services. To address the hurdle, JAAS (Java Authentication and Authorization Service) 1.0 was finalized as the Java standard user authentication specifications. It is now used as the user authentication standards for the Web business services developed using JavaEE technologies.

Organization of this subsection

(1) Association between the integrated user management framework and individual user management

JAAS specifies the interface regarding which application sends authentication requests (API: Application Programming Interface) and the interface that receives and processes authentication requests (SPI: Service Provider Interface). The module that processes authentication is called the login module. The following figure shows the association between API and SPI.

Figure 5‒4: Association between API and SPI

[Figure]

Cosminexus provides Cosminexus standard login modules, which perform password authentication by default. The Cosminexus standard login modules are used to manage users of the J2EE application created with the JSP/servlet, which uses the JAAS API.

Application developers no longer need to develop authentication modules by themselves if they use the Cosminexus standard login modules. As modules are stackable, it is easy to add an enhanced authentication module that works together with the Cosminexus standard login modules. If the application requires a completely unique authentication function, the Cosminexus standard login module can be easily replaced by a custom authentication module. As a result, application programs that use JAAS for user authentication can be effortlessly integrated by using Cosminexus.

This is called JAAS-based user management. The following figure shows an overview of JAAS-based user management. Note that the user information repository in the figure is the repository that stores the user information needed for the authentication process.

Figure 5‒5: Overview of JAAS-based user management

[Figure]

When the JAAS-based user management is used in accordance with the integrated user management framework, the user mapping function can be used, which maps the user authenticated by one business service to the user of another business service and requests authentication. When a unique user information repository is used for a business service, creating a custom login module can implement single sign-on including that business service. The following figure shows an overview of single sign-on with user mapping. Note that the single sign-on repository in the figure is the repository that stores the mapping information needed for single sign-on.

Figure 5‒6: Overview of the user mapping function

[Figure]

To Page Top

(2) Overview of Cosminexus standard login modules

The Cosminexus standard login module is the LoginModule interface implementation-class contained in the javax.security.auth.spi package. It can be used differently depending on the implemented authentication method.

The Cosminexus standard login module has the following features.

User authentication can be done by using the existing user information (LDAP information or database information).

The Cosminexus standard login module allows the LDAP directory server or database (RDB) to be used as the repository that stores the user information used for user authentication.

When the LDAP directory server is used, Cosminexus specifies the DIT (Directory Information Tree) structure of the standard user management repository. If LDAP has already been deployed, the information can be available through simple customization. DIT is the LDAP mechanism used to manage the user and organization information in the tree structure. For details, see 5.2.4 Management method of user information used for integrated user management.

Certificates or passwords can be used for authentication depending on the type of the Cosminexus standard login module.

The user information can be referenced.

When the user authentication is successful, the information about the login user can be referenced.

JAAS specifies that Credentials must be assigned to the Subject when the user is successfully authenticated. It also specifies the general methods used by the requesting application to reference the authenticated user information through the java.util.set interface (getPublicCredentials and getPrivateCredentials methods).

The Cosminexus standard login module provides the interface used to reference the user information. The user information is specified in the form of a Credential as the object that the UserAttributes interface, provided by Cosminexus, handles in accordance with the configuration. The application fetches this object by using the standard interface, and obtains the user information by specifying the attribute name in the getAttribute method of the object. Otherwise, specifying the alias can obtain the information.

Single sign-ons can be implemented.

The Cosminexus standard login module supports single sign-on.

To implement single sign-on, the LDAP directory server is needed regardless of the type of repository that manages the user information.

To Page Top

Trademarks

All Rights Reserved. Copyright (C) 2022, Hitachi, Ltd.