In simplest terms, can anyone explain to me the difference between JAAS, JACC and JASPIC?

Question

I'll be honest. I've been a developer for a quite some time now but its the first time I've heard of JACC ans JASPIC. I understand that they are standards used by authorization providers, but how exactly to they differ from JAAS? and when would we use one over the other?

I did some initial research, its not that I'm lazy to do it. Its just that reading articles on JACC and JASPIC kinda overwhelmed me a little bit and I need to learn about this in the short possible time because I need to implement this in one of my upcoming projects. Just looking for a jump start on my understanding on it.

Answer 1

JAAS is included with Java SE, and is mainly useful for Java SE. It's about code level security (do you trust the code).

It's not directly useful for Java EE, which is about user level security (do you trust the user).

Some Java EE servers can use something that is based on JAAS LoginModules for authentication, but this usage of JAAS is non-standard and is extremely shallow compared to what it does in Java SE. For some reason or the other, because of this people think that security in Java EE is called JAAS, but it's completely the other way around.

JASPIC is an extension point that Java EE 6+ servers have to create and plug-in additional authentication mechanisms. You can use this to create things like OAuth, OpenID etc mechanisms. JASPIC is about interaction with your user. It says nothing about getting user data from things like LDAP or a database. You can do that with your own code, or by calling a JAAS LoginModule. JASPIC does define how JAAS LoginModules can be connected to your custom mechanism in a more standard way. Too bad it's not 100% standard still, but better at least.

JACC is another extension point but for authorization mechanisms. You can use it to do authorization in a different way, or to just audit authorization. JACC also makes all security constraints that you defined in web.xml available to your code. You can use that to check beforehand if a user will have access to a page. Unlike JASPIC, JACC is very difficult to actually activate in your application. You need to mess with JVM arguments etc.