The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

All information submitted is secure.

My developerWorks:

My notifications:

Sign out

Select a language:

Java security, Part 2: Authentication and authorization

Brad Rubin (BradRubin@BradRubin.com), Principal , Brad Rubin & Associates Inc.

Brad Rubin is principal of Brad Rubin & Associates Inc., a computer-security consulting company specializing in wireless network and Java application security and education. Brad spent 14 years with IBM in Rochester, MN, working on all facets of the AS/400 hardware and software development, starting with its first release. He was a key player in IBM's move to embrace the Java platform, and was lead architect of IBM's largest Java application, a business application framework product called SanFrancisco (now part of WebSphere). He was also chief technology officer for the Data Storage Division of Imation Corp., as well as the leader of its R&D organization.

Brad has degrees in Computer and Electrical Engineering, and a Doctorate in Computer Science from the University of Wisconsin, Madison. He currently teaches the Senior Design course in Electrical and Computer Engineering at the University of Minnesota, and will develop and teach the university's Computer Security course in Fall 2002.

Summary: The Java platform, both its base language features and library extensions, provides an excellent base for writing secure applications. In this tutorial, Part 2 of 2, Brad Rubin introduces the basic concepts of authentication and authorization and provides an architectural overview of JAAS. Through the use of a sample application he'll guide your understanding of JAAS from theory to practice. By the end of the tutorial you will have a good foundation for working with JAAS on your own.

Date: 19 Jul 2002
Level: Introductory
PDF: A4 and Letter (507 KB | 29 pages)Get Adobe® Reader®

Activity: 33533 views
Comments:

About this tutorial

What is this tutorial about?

There is perhaps no software engineering topic of more timely importance than application security. Attacks are costly, whether the attack comes from inside or out, and some attacks can expose a software company to liability for damages. As computer (and especially Internet) technologies evolve, security attacks are becoming more sophisticated and frequent. Staying on top of the most up-to-date techniques and tools is one key to application security; the other is a solid foundation in proven technologies such as data encryption, authentication, and authorization.

In this two-part tutorial, we've been learning about the security features of the Java platform. Part 1 served as a beginner's introduction to Java cryptography. Here, in Part 2, we'll expand the discussion to encompass access control, which is managed in the Java platform by the Java Authentication and Authorization Service (JAAS).

Should I take this tutorial?

This is an intermediate-level tutorial. It is assumed that you know how to read and write basic Java applications and applets. If you're already a Java programmer, and you've been curious about authentication and authorization technologies and the Java library that supports them, then this tutorial is for you.

We'll start with an introduction to the basic concepts of authentication and authorization, as well as an architectural overview of JAAS. Next, we'll use a JAAS sample application to take your understanding of JAAS from theory to practice, both by breaking down the components of the application and by viewing the final execution result. As part of this exercise, we'll study a variety of JAAS configuration options that will help further cement the concepts you've learned.

JAAS is a complex technology, rich in function and features. We'll take it in slowly, in bite-sized chunks, and it is recommended that you go over each new concept more than once. By the end of the tutorial you will have a good foundation for working with JAAS on your own.

You need not have taken Part 1 of this tutorial to understand Part 2.

Tools, code samples, and installation requirements

JAAS started out as an extension to the Java 2 platform, Standard Edition. Recently, however, it has been added to version 1.4. To complete this tutorial you will need the following:

JDK 1.4, Standard Edition
The tutorial source code and classes, JavaSecurity2-source.jar, so that you can follow the examples as we go along.
A browser that supports the Java 1.4 plug-in.

You can use JDK 1.3.x, but you must install the JCE and JSSE yourself.

Comments

static.content.url=http://www.ibm.com/developerworks/js/artrating/

SITE_ID=1

Zone=Java technology

ArticleID=132299

TutorialTitle=Java security, Part 2: Authentication and authorization

publish-date=07192002

author1-email=BradRubin@BradRubin.com

author1-email-cc=jaloi@us.ibm.com

Next steps from IBM

WebSphere Portal can help your small and midsize business achieve better website security, along with faster time to value with easily deployable and customizable example Web sites.