Getting Started with JAAS

The NetBeans Community Docs wish list is headed by a document request titled “Simple visual Web application (incl. documentation) using simple form based authentication with JAAS against a DB (e.g. login, logout, sessionhandling”.

In this post, I shall give point you to some references and related resources regarding JAAS.

Java SE Security

Java SE security is described here


The JavaTM Authentication and Authorization Service (JAAS) was introduced as an optional package (extension) to the JavaTM 2 SDK, Standard Edition (J2SDK), v 1.3. JAAS was integrated into the J2SDK 1.4.

JAAS can be used for two purposes:

  • for authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet; and
  • for authorization of users to ensure they have the access control rights (permissions) required to do the actions performed.

Traditionally Java has provided codesource-based access controls (access controls based on where the code originated from and who signed the code). It lacked, however, the ability to additionally enforce access controls based on who runs the code. JAAS provides a framework that augments the Java security architecture with such support.

Before reading the JAAS reference guide, please refer to the following documents:


After you are through with getting some preliminary experience, you could considering working on a simple visual web application which has authentication (login, logout, session handling, etc) support and uses JAAS for the purpose.

And then finally, if you are succesfull in designing the web application, you could consider teaching it to someone, by contributing to the NetBeans Community Docs.