Using JAAS and Sun Java System Access Manager to authenticate federally-identified users of a web-application
by David Bullock
ABSRACT
From the perspective of applications that use authentication services, federated identity is similar to more established forms of centralized account-management facilitating single-sign-on (SSO), except that an application accepting connections from federally-identified users no longer directly receive user credentials.
Existing Java APIs for access-control in both JAAS (checkPermission()) and
J2EE (isCallerInRole()) already provide near-transparent authentication,
and are well-placed to exploit federated identity without significant application changes.
The push for federated identity is likely to increase awareness of opporunities that centralized account management afford, because it requires less trust in applications. Centralized account management is an enabler of central management of access-policies. The most useful policies can evaluate the permissions of a user with respect to specific application resources. However, to allow external evaluation, applications must code policy-enforcement points without assuming any particular policy framework.
Using JAAS in combination with Sun Java System Access Manager it is possible to achieve enforcement of policy without the application assuming anything about how a user comes to have a permission, thereby allowing use of policy frameworks such as Role Based Access Control. However, the programming contract of J2EE ironically interferes with protection of application resources in an enterprise environment, even though that environment is where browser-based federated identity makes sense.
We consider how we would approach coding an access control point for p-Contact, a web-based contact-management system which allows users to define, use and share mailing-lists according to a fine-grained access-control scheme that supports conformance with Australian privacy law.
David Bullock
Australian Java User’s Group
Download complete paper: Using JAAS and Sun Java System Access Manager to authenticate federally-identified users of a web-application (240K PDF)