7.5. Identification and Authentication

Users are assigned unique user identifiers which are used as the basis for access control decisions and auditing. JBoss EAP 6.2.2 authenticates the identity of the user before allowing the user to perform any further security-mediated actions. JBoss EAP 6.2.2 internally maintains the identifier associated with the thread spawned for a user after a successful authentication.

JBoss EAP 6.2.2 provides different identification and authentication mechanisms for different request types:

JBoss EAP 6.2.2 implements identification and authentication using Java Authentication and Authorization Service (JAAS) with the PicketBox framework. JAAS is provided by the Java virtual machine in the operational environment. The PicketBox framework uses only the authentication capabilities of JAAS to implement the declarative role-based Java EE security model.

JAAS authentication is performed in a pluggable fashion. This permits Java applications to remain independent from the underlying authentication technologies, and allows the PicketBox security manager to work in different security infrastructures. Integration with a security infrastructure can be achieved without changing the PicketBox security manager implementation. This is done by changing the configuration of the authentication stack that JAAS uses. JBoss EAP 6.2.2 provides the JAAS modules which are called by the JAAS framework to perform identification and authentication.

The basic security interfaces required for implementation of the JAVA EE security model are not heavily dependent on JAAS. The PicketBox framework is an implementation of the basic security plug-in interfaces that are based on JAAS. PicketBox provides an abstraction layer, which is based on JAAS, to other containers of JBoss EAP 6.2.2. An administrator is able to replace the JAAS-based PicketBox implementation classes with an individual custom security manager implementation that does not use JAAS, however the evaluated configuration prohibits the replacement of PicketBox.

The following authentication backends and corresponding JAAS modules are allowed to be configured:

Password quality used can be enforced with configuration options for the JAAS modules provided by JBoss EAP 6.2.2.

If the JAAS login authenticates the user, a JAAS Subject is created that contains the following in its PrincipalsSet:

The above mentioned network protocols tunnel client requests to JBoss EAP 6.2.2. After identification and authentication checks are performed, the request is forwarded to the intended application. As JBoss EAP 6.2.2 uses only the credential information from the network request, only the aspect of communicating the user credentials is relevant for the enforcement of the identification and authentication policy.

JBoss EAP 6.2.2 allows the management of authorization independently for each application and service. The mentioned deployment descriptors and annotations can be used by authorized administrators to configure the identification and authentication mechanism. JBoss EAP 6.2.2 provides the interfaces for managing identification and authentication policy, however it does not restrict the use of the interfaces to authorized administrators. These settings are stored in the JBoss EAP 6.2.2 system configuration. This configuration file could be accessed by users who have access to write permissions on the host system.