Java Authentication and Authorization Service (JAAS) (https://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html) implements a Java version of the standard Pluggable Authentication Module (PAM) framework. It was introduced as an optional package (extension) to the J2SDK (1.3) and then was integrated into the J2SDK 1.4.

JAAS is a standard library which provides your application with the following:

• A representation of identity (principal) by providing credentials (username/password – subject).
• A login service that will call back your application to gather credentials from user and then returns a subject after successful authentication.
• A mechanism to grant necessary grants (authorization) to a user after successful authentication:

As shown in the preceding figure, JAAS has predefined login modules for most of the login mechanisms built in. Custom login modules can be imported or built according to application requirements. JAAS allows application to be independent from the actual authentication mechanism. It's truly pluggable, as new login modules can be integrated without any change to the application code.

JAAS is simple and the process is as follows:

• The application instantiates a LoginContext object and invokes appropriate (controlled by configuration) LoginModule, which performs authentication.
• Once the authentication is successful, the subject (who runs the code) is updated with principle and credentials by LoginModule.
• Soon after that, JAAS kick starts the authorization process (using standard Java SE access control model). Access is granted based on the following:
  • Codesource: where the code originated and who signed the code
  • The user: who (also called as subject) is running the code

Now that we have a rough idea of JAAS and its working, we will see working of JAAS using Spring Security by going through an example in the following section.