Overview of security standards
Geronimo uses Java Authentication and Authorization Service (JAAS) login modules for user authentication and Java Authorization Contract for Containers (JACC), for authorization to server resources. Geronimo uses the Common Secure Interoperability Version 2 (CSIv2) protocol to support secure EJB access using CORBA.
Java Authentication and Authorization Service (JAAS)
The Java Authentication and Authorization Service (JAAS) implements a Java version of the standard Pluggable Authentication Module (PAM) framework. JAAS simplifies Java security development by introducing an abstraction layer between the application and the underlying authentication mechanisms, thereby enabling applications to be independent from the authentication mechanism. This enables us to plug in new or updated authentication mechanisms without requiring modifications to the application. Applications initiate authentication by instantiating a LoginContext object, which in turn references a configuration that determines the authentication mechanisms or login modules to be used in performing the authentication. If authentication is successful, then the login modules update the JAAS subject with relevant principals and credentials, which are then used to make authorization decisions. Geronimo provides several JAAS login module implementations and principal and credential classes to easily configure security for applications deployed in Geronimo.
Java Authorization Contract for Containers (JACC)
The Java Authorization Contract for Containers (JACC) specification, JSR-115, defines new java.security.Permission classes to satisfy the Java EE 5 authorization model. JACC allows authorization decisions to be made based on these permission classes. Geronimo provides an implementation of JACC v1.1.
The Common Secure Interoperability Version 2 (CSIv2) protocol
The Common Secure Interoperability Version 2 (CSIv2) protocol is a protocol for implementing security features for inter-ORB communication. Geronimo integrates Apache Yoko in order to support CSIv2.