Liferay is a Gartner Magic Quadrant Leader for the Sixth Year! Find out why


Tags: jaas

Java Authentication and Authorization Service (JAAS) is part of a Java security framework that enables services to authenticate and enforce access controls upon users. It implements a Java version of the standard Pluggable Authentication Module (PAM) framework and compatibly extends the Java 2 Platform's access control architecture to support user-based authorization. JAAS has been a standard part of the Java security framework since Java v1.4.

JAAS can be used for two purposes:

  • for authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet; and
  • for authorization of users to ensure they have the access control rights (permissions) required to do the actions performed.

The primary goal of JAAS, therefore, is to manage the granting of permissions and performing security checks for those permissions. As such, JAAS is not concerned with other aspects of the Java security framework, such as encryption, digital signatures (JCA), or secure connections (JSSE).

Like most Java APIs, JAAS is exceptionally extensible. Most of the sub-systems in the framework allow substitution of default implementations so that almost any situation can be handled. For example, an application that once stored user ids and passwords in the database can be changed to use Windows OS credentials. The flexibility of JAAS and the rest of the security architecture, however, produces some complexity. The fact that almost any piece of the entire infrastructure can be overridden or replaced has major implications for coding and configuration. For example, every application server’s JAAS customizations have a different file format for configuring JAAS, all of which are different from the default one provided by Java.

Rad more about JAAS in JAAS Reference Guide.

JAAS in portal #

By default, JAAS is disabled. To enable it, just set the following property to true in


If JAAS is not enabled, authentication is taken care of by the portal filters. As soon as JAAS is enabled, a redirect to a "virtual" protected area (c/portal/protected) is issued after having authenticated the user against the portal database. This will trigger the JAAS authentication.

There are more JAAS properties that can be configured, as described in Portal Administration Guide.

0 Attachments
Average (0 Votes)
The average rating is 0.0 stars out of 5.