Contact Us 1-800-596-4880

Jaas Security

Mule Runtime Engine versions 3.5, 3.6, and 3.7 reached End of Life on or before January 25, 2020. For more information, contact your Customer Success Manager to determine how you can migrate to the latest Mule version.

The JaasSimpleAuthenticationProvider is a security provider that provides a way to interact with the Jaas Authentication Service.

The security provider for Jaas can be configured in a couple of different ways. It allows you to configure Jaas either by passing to the provider a Jaas configuration file or by passing the required attributes directly to the JaasSimpleAuthenticationProvider. These two configuration methods are described below.

Using the Jaas Configuration File

Usually, JAAS authentication is performed in a pluggable fashion, so applications can remain independent from underlying authentication technologies.

jaasTest{
   org.mule.module.jaas.loginmodule.DefaultLoginModule required
   credentials="anon:anon;Marie.Rizzo:dragon;"
};

The above example was saved in a file called jaas.conf. This file contains just one entry called com.ss.jaasTest, which is where the application we want to protect can be found. The entry specifies the login module that will be used to authenticate the user. As a login module, you can either use Mule’s DefaultLoginModule, one of the login modules that come with Sun, or else create your own. In this case, we have opted for Mule’s DefaultLoginModule.

The required flag that follows the login module specifies that the login module must succeed for the authentication to be considered successful. Additional flags are:

Required - The login module is required to succeed. If it succeeds or fails, authentication still continues to proceed down the login module list.

Requisite - The login module is required to succeed. If it succeeds, authentication continues down the login module list. If it fails, control immediately returns to the application.

Sufficient - The login module is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the login module list). If it fails, authentication continues down the login module list.

Optional - The login module is not required to succeed. If it succeeds or fails, authentication still continues to proceed down the login module list.

The entry also specifies the credentials, in which we put a string of authorized users together with their passwords. The credentials are put here only when the DefaultLoginModule is going to be used, as the method in which the user names and passwords are obtained may vary from one login module to another.

The format of the credentials string must adhere to the following format if the DefaultLoginModule is going to be used:

<username>:<password>;

Configuring the Provider in the Mule Configuration File

<mule xmlns:jaas="http://www.mulesoft.org/schema/mule/jaas"
http://www.mulesoft.org/schema/mule/jaas
http://www.mulesoft.org/schema/mule/jaas/current/mule-jaas.xsd
       ...cut...

    <jaas:security-manager>
        <jaas:security-provider name="jaasSecurityProvider" loginContextName="jaasTest" loginConfig="jaas.conf"/>
    </jaas:security-manager>

Note that in the above, the loginContextName contains the same name of the entry as in the Jaas configuration file. This name will be used for creating the login context as well as to find the complete URL of the jaas.conf file.

Passing the Credentials Directly to the Provider

The second option for the configuration of the JaasSimpleAuthenticationProvider is to pass the configuration details that would otherwise be found in the Jaas configuration file directly to the provider.

<jaas:security-manager>
    <jaas:security-provider name="jaasSecurityProvider" loginContextName="jaasTest" credentials="anon:anon;Marie.Rizzo:dragon;"/>
</jaas:security-manager>

In the above configuration, note that we removed the property loginConfig and don’t need to pass any Jaas configuration file. Instead, we simply pass the credentials to the provider (using the same format as specified above). Since no login module is specified, the DefaultLoginModule is used.

Passing a Non-default Login Module

The third option is to enter your own login module.

<jaas:security-manager>
    <jaas:security-provider name="jaasSecurityProvider" loginContextName="jaasTest" loginModule="com.sun.security.auth.module.NTLoginModule"/>
</jaas:security-manager>

In the above configuration, we have added the loginModule property, which allows you to specify the login module you want to use to authenticate the user. Since the NTLoginModule does not require you to input a list of accepted usernames and passwords, the property for the credentials was removed.

Configuring the Security Filter on a Connector

You can use JaasSecurityFilter as a security filter, as follows:

<inbound>
    <inbound-endpoint address="vm://test">
        <jaas:jaas-security-filter/>
    </inbound-endpoint>
</inbound>

JAAS Module Reference

This module provides security via JAAS.

Security Manager

This is the security provider type that is used to configure JAAS related functionality.

Child Elements of <security-manager…​>

Name Cardinality Description

security-provider

0..1

This is the security provider type that is used to configure JAAS related functionality.

password-encryption-strategy

0..*

Security Provider

This is the security provider type that is used to configure JAAS related functionality. === Attributes of <security-provider…​>

Name Type Required

loginContextName

string

no

credentials

string

no

loginConfig

string

no

loginModule

string

no

Jaas Security Filter

Authenticates users via JAAS.