Login based on JAAS


The Java Authentication and Authorization Service (or JAAS) is a login framework available in the Java runtime since version 1.4. It allows developers to write security-agnostic code that allows for pluggable backends for authentication (consider LDAP vs Smartcard vs Operating system, etc). There are several implementations of login backends that ship with the various JREs.

For more information on JAAS:

Extension-point based contribution

JAAS has specific expectations of where the classes that are used to build a LoginContext should be found - typically the extension classloader. In order to get around these limitations and bridge into the Eclipse environment, there are several extension points available for bundles to contribute JAAS artifacts into the system. Specifically, the following artifacts have corresponding extension points in the org.eclipse.equinox.security bundle:

In order to evolve the API but still embrace the model, there is an org.eclipse.equinox.security.auth.ILoginContext interface which maps to the LoginContext class in JAAS. Additional features are available on this interface, but most functionality still speaks in terms of core JAAS artifacts (Subjects, Principals, etc).

Declarative wiring via LoginContextFactory

Another limitation of the JAAS framework is that there is a strong coupling between the backend login Configuration and the CallbackHandler (UI) which will service the login execution. There is an extension to create the mapping from a configuration name to a specific CallbackHandler, and a factory (org.eclipse.equinox.security.auth.LoginContextFactory) which can generate an ILoginContext without knowledge required of specific CallbackHandlers.

Notifications through ILoginContextListener

Another use case which is implemented is the ability to monitor the execution of an applications login lifecycle via an event listener model. This functionality is available through the org.eclipse.equinox.security.auth.ILoginContextListener interface.

Future work

Feedback surrounding this functionality is greatly appreciated. Potential future direction involves integrating login into the RCP lifecycle, Jobs framework, etc and using the user context to affect the behaviour of the runtime system (filter, etc).