A discussion of the javax.security.auth.login.LoginContext class and JAAS login modules may help Oware system programmers. JAAS provides a framework for modular authentication, like the Pluggable Authentication Module (PAM) framework available in most UNIX implementations.
The LoginContext class is the entry point into this framework. When an application instantiates a new LoginContext, it reads a configuration file and loads login modules specified in that file. LoginContext then initializes each login module, passing any configuration parameters contained in the configuration file. LoginContext then calls the Login method of each login module and stores the state returned by the module. Once each configured module has completed its Login method, LoginContext validates that the combination of states returned by the modules satisfies the requirements for a successful authentication specified in the configuration file. If the requirements are met, then LoginContext calls the commit method of each login module. The login modules add their Principals to the Subject and notify LoginContext that they have succeeded. If any of the login modules’ commit methods fail then LoginContext clears the Subject and any other state information and throws an exception that indicates that the login failed. The configuration file used by JAAS is specified in the login.config.url parameter of the java.security file. The default for Oware is the file oware_jaas.config located in the same directory as the java.security file.
The default configuration for Oware security is the file Oware_jaas.config located in the same directory as the java.security file. Sample configuration files are included with Oware. The default configuration uses only OWLoginModule and authenticates against data stored in the BOM.
While JAAS provides for complex authentication configurations, for administrative simplicity we recommend that you use a single login module. Also, because of the specific requirements of Oware, generic JAAS login modules need some customization before they work properly.