11 - Access Control - JAAS


JAAS can be used for two purposes:

for authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet; and
for authorization of users to ensure they have the access control rights (permissions) required to do the actions performed.

Jetty support for JAAS as a means of bringing greater flexibility to the declarative security models of the J2EE.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Configure a jetty org.eclipse.jetty.plus.jaas.JAASLoginService to match the <realm-name> in your web.xml file.
Set up your LoginModule in a configuration file
You now need to invoke jetty with support for jaas. This involves 3 elements:

adding extra jars to jetty's classpath
adding the jetty config file with the JAASLoginService declaration to the startup sequence
adding the jaas system property java.security.auth.login.config which specifies the location of your login module config file