Authentication in Oware

JAAS recognizes that a person may have multiple identities. For example, the same user may be identified by a user ID, a group membership, an X.509 certificate, a role. Each of these identities is represented by JAAS as a Principal object. The collection of all a users Principals is represented as a Subject object.

Oware JAAS uses the standard JAAS Subject class: javax.secur­ity.auth.Sub­ject. A Subject is a container for Principals and Credentials. Credentials are not used in Oware JAAS because they are not serializable and cannot be JMS messages.

The Subject class also provides methods for adding itself to a thread’s SecurityContext. Adding the Subject to the thread’s SecurityContext lets the Java SecurityManager and secure class loaders make access control decisions based on the identity of a user.

Oware implements JAAS principals with the OWUserPrincipal and OWRolePrincipal classes. OWUserPrincipal represents the primary identity of a user within Oware, while OWRolePrincipal represents group memberships or role associations. Oware maintains this distinction so security permissions assigned to a specific user can override those received from role associations.

When a user login occurs, Oware creates a new Subject and stores the Principals associated with the user in the Subject by the JAAS login modules configured for Oware. Oware provides the OWLoginHelper class to make the details of login processing transparent to programmers, who only need to get an authenticated Subject.