Specification: Jakarta Authentication

Version: 3.0

Status: Final

Release: May 01, 2022

Copyright © 2018, 2022 Eclipse Foundation. https://www.eclipse.org/legal/efsl.php

Eclipse Foundation Specification License

By using and/or copying this document, or the Eclipse Foundation document from which this statement is linked, you (the licensee) agree that you have read, understood, and will comply with the following terms and conditions:

Permission to copy, and distribute the contents of this document, or the Eclipse Foundation document from which this statement is linked, in any medium for any purpose and without fee or royalty is hereby granted, provided that you include the following on ALL copies of the document, or portions thereof, that you use:

  • link or URL to the original Eclipse Foundation document.

  • All existing copyright notices, or if one does not exist, a notice (hypertext is preferred, but a textual representation is permitted) of the form: "Copyright © [$date-of-document] Eclipse Foundation, Inc. https://www.eclipse.org/legal/efsl.php"

Inclusion of the full text of this NOTICE must be provided. We request that authorship attribution be provided in any software, documents, or other items or products that you create pursuant to the implementation of the contents of this document, or any portion thereof.

No right to create modifications or derivatives of Eclipse Foundation documents is granted pursuant to this license, except anyone may prepare and distribute derivative works and portions of this document in software that implements the specification, in supporting materials accompanying such software, and in documentation of such software, PROVIDED that all such works include the notice below. HOWEVER, the publication of derivative works of this document for use as a technical specification is expressly prohibited.

The notice is:

"Copyright © 2018, 2020 Eclipse Foundation. This software or document includes material copied from or derived from Jakarta® Authentication https://jakarta.ee/specifications/authentication/2.0/"

Disclaimers

THIS DOCUMENT IS PROVIDED "AS IS," AND THE COPYRIGHT HOLDERS AND THE ECLIPSE FOUNDATION MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR TITLE; THAT THE CONTENTS OF THE DOCUMENT ARE SUITABLE FOR ANY PURPOSE; NOR THAT THE IMPLEMENTATION OF SUCH CONTENTS WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.

THE COPYRIGHT HOLDERS AND THE ECLIPSE FOUNDATION WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE DOCUMENT OR THE PERFORMANCE OR IMPLEMENTATION OF THE CONTENTS THEREOF.

The name and trademarks of the copyright holders or the Eclipse Foundation may NOT be used in advertising or publicity pertaining to this document or its contents without specific, written prior permission. Title to copyright in this document will at all times remain with copyright holders.

Preface

This document is the Jakarta Authentication Specification, version 2.0.

Notational Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119, "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119].

Audience

This document is intended for developers of a Compatible Implementation and of the Technology Compatibility Kit and for those who will be delivering implementations of this technology in their products.

Specification Scope

Jakarta Authentication defines a general low-level SPI for authentication mechanisms, which are controllers that interact with a caller and a container’s environment to obtain the caller’s credentials, validate these, and pass an authenticated identity (such as name and groups) to the container.

Jakarta Authentication consists of several profiles, with each profile telling how a specific container (such as Jakarta Servlet) can integrate with- and adapt to this SPI.

Abstract

This specification defines a service provider interface (SPI) by which authentication providers implementing message authentication mechanisms may be integrated in client or server message processing containers or runtimes. Authentication providers integrated through this interface operate on network messages provided to them by their calling container. They transform outgoing messages such that the source of the message may be authenticated by the receiving container, and the recipient of the message may be authenticated by the message sender. They authenticate incoming messages and return to their calling container the identity established as a result of the message authentication. The SPI is applicable to diverse messaging protocols (including SOAP, Jakarta Messaging, and HTTP) and message processing runtimes (including Jakarta EE containers).

This specification extends the pluggable authentication concepts of the Java Authentication and Authorization Service (JAAS) to the authentication of network messages. This effect is achieved by evolving the JAAS login model to facilitate the integration of security functionality at differentiated points within a logical message processing model and by defining corresponding authentication interfaces that make the network messages available for processing by authentication modules.

Acknowledgments

The authors would like to thank the original JCP JSR-196 Expert Group and Contributors.

Expert Group under the JCP

Steven Bazyl RSA Security, Inc.

Shing Wai Chan Sun Microsystems

Herb Erickson Novell, Inc.

Johan Gellner Tmax Soft, Inc.

Steven Kinser Novell, Inc.

Boris Koberle Sap AG.

Mikko Kolehmainen Nokia Networks

Charlie Lai Sun Microsystems

Hal Lockart BEA Systems

Thomas Maslen Quest Software

Cameron Morris Novell, Inc.

Larry McCay Individual

Ron Monzillo Sun Microsystems

Anthony Nadalin IBM

Nataraj Nagaratnam IBM

Raymond K. Ng Oracle Corporation

Arvind Prabhakar Sun Microsystems

Anil Saldhana JBoss, Inc.

Rajiv Shivane Pramati Technologies

Neil Smithline BEA Systems

Jeppe Sommer Trifork

Contributors under the JCP

Venu Gopal Sun Microsystems

Will Hopkins Oracle America, Inc.

V. B. Kumar Jayanti Sun Microsystems

Manveen Kaur Sun Microsystems

Raja Perumal Sun Microsystems

Tim Quinn Oracle America, Inc.

Gursharan Singh Sun Microsystems

Anil Tappetla Sun Microsystems

Arjan Tijms

1. Overview

This chapter introduces the message processing model facilitated by this specification and the interfaces defined to integrate message authentication facilities within this model.

1.1. Message Processing Model

A typical message interaction between a client and server begins with a request from the client to the server. The server receives the request and dispatches it to a service to perform the requested processing. When the service completes, it may create a response that is returned back to the client.

The SPI defined by the specification is structured such that message processing runtimes can inject security processing at four points in the typical message interaction scenario. A message processing runtime uses the SPI at these points to delegate the corresponding message security processing to authentication providers (that is, authentication modules) integrated into the runtime by way of the SPI.

The following diagram depicts the four interaction points. The names of the interaction points represent the methods of the corresponding ClientAuthModule (client authentication module) and ServerAuthModule (server authentication module) interfaces defined by the SPI.

authn 1
Figure 1-1 Message Processing Model [1]

1.1.1. Authentication Modules

As described above, there are two types of authentication modules. A client authentication module implements the ClientAuthModule interface and is invoked (indirectly) by a message processing runtime at points 1 and 4 (that is, secureRequest and validateResponse) in the message processing model. A server authentication module implements the ServerAuthModule interface and is invoked (indirectly) by a message processing runtime at points 2 and 3 (that is, validateRequest and secureResponse) in the message processing model.

When an authentication module is invoked at the identified message processing points, it is provided access to the request and response messages (as appropriate to the point in the interaction) and proceeds to secure or validate them as appropriate. For example, when secureRequest is invoked on a client authentication module, the module may attach a user name and password to the request message. Similarly, when validateRequest is called, the server authentication module may extract a user name and password from the message and validate them against a user database. Note that authentication modules are responsible for securing or validating messages, while the message processing runtime remains responsible for transport of messages and invocation of the corresponding application level processing.

A message processing runtime invokes client authentication modules by interacting with a client authentication context object, and server authentication modules by interacting with a server authentication context object. An authentication context object is an implementation of either the ClientAuthContext or ServerAuthContext interface as defined by this specification. A message processing runtime may acquire the authentication context objects that it uses to invoke authentication modules by interacting with an authentication context configuration object. An authentication context configuration object is an implementation of either the ClientAuthConfig or ServerAuthConfig interface as defined by this specification.

1.1.2. Authentication Contexts

An authentication context is responsible for constructing, initializing, and coordinating the invocation of one or more encapsulated authentication modules. If the context implementation supports the configuration of multiple authentication modules within a context (for example, as sufficient alternatives), the context coordinates the invocation of the authentication modules on behalf of both the message processing runtime and the authentication modules.

A client message processing runtime interacts with an implementation of the ClientAuthContext interface to invoke the authentication modules of the context to perform message processing at points 1 and 4 (secureRequest and validateResponse) of the message processing model. Similarly, a server message processing runtime interacts with an implementation of the ServerAuthContext interface to invoke the modules of the context to perform message processing at points 2 and 3 (validateRequest and secureResponse) of the message processing model.

1.1.3. Authentication Context Configuration

An authentication context configuration object serves a message processing runtime as the source of authentication contexts pertaining to the messages of an application at a messaging layer. The context configuration implementation is responsible for returning authentication context objects that encapsulate authentication module invocations sufficient to satisfy the security policy configured for an application message. A message processing runtime may use a representation of the message being processed to obtain the corresponding authentication context from the appropriate authentication context configuration object.

A client authentication context configuration object implements the ClientAuthConfig interface and provides ClientAuthContext objects for use by a message processing runtime at points 1 and 4 (secureRequest and validateResponse) in the message processing model. A server authentication context configuration object implements the ServerAuthConfig interface and provides ServerAuthContext objects for use by a message processing runtime at points 2 and 3 (validateRequest and secureResponse) in the message processing model.

A message processing runtime may acquire authentication context configuration objects by interacting with a provider of authentication context configuration objects.

1.1.4. Authentication Context Configuration Providers

An authentication context configuration provider is an implementation of the AuthConfigProvider interface. An authentication context configuration provider serves as a source of authentication context configuration objects, where as noted above, each configuration object serves as the source of authentication contexts pertaining to the messages of an application at a messaging layer.

An authentication context configuration provider embodies the implementation of a message authentication configuration mechanism. Each such configuration mechanism encapsulates the message authentication processing pertaining to applications in configuration objects that return context objects that coordinate the invocation of pluggable authentication modules to perform message authentication on behalf of the corresponding applications.

The AuthConfigFactory class serves as the catalog or registry of authentication context providers available for use by a runtime. A message processing runtime may interact with the factory to obtain or establish the provider registered for an application context and messaging layer.

1.1.5. Request and Response Messages

Request and response messages are Java representations of the corresponding protocol messages, and are passed to authentication modules through an implementation of the MessageInfo interface which provides common methods for accessing protocol specific messages.

Authentication Modules that operate on messages for a specific protocol (for example, SOAP messages) are expected to be configured for and called from an appropriate message processing runtime (for example, a SOAP message processing runtime).

1.1.6. Message Authentication Policy

When an authentication module is initialized within an authentication context, it is passed policy information that specifies what authentication guarantees the module is to enforce when securing or validating request and response messages within that context. Policy information is conveyed by the authentication context to the authentication module in the form of MessagePolicy objects. Two separate MessagePolicy objects are passed to the module through its initialize method: One defines the message authentication policy to be applied to the request message, and the other defines the message authentication policy to be applied to the response.

A message authentication policy can be targeted at specific parts of the related message or to the message as a whole, and conveys the high level authentication guarantees that must be enforced by the modules of a context. The policy may specify, for example, that the source of a request must be authenticated. The mechanisms by which a module enforces the guarantees, or, in other words, how the module enforces the guarantees is up to the module.

1.1.7. Authentication Exchanges and State

Authentication modules should be implemented such that they may be invoked concurrently and such that they are able to apply and establish independent security identities for concurrent invocations. To this end, modules should rely on their invocation parameters and the callbacks supported by the CallbackHandler with which they were initialized to obtain any information required to establish the invocation context for which they were invoked.

In a multi-message authentication scenario, it is the responsibility of the authentication modules involved in the authentication to tie together or correlate the messages that comprise the authentication exchange. In addition to message correlation to tie together the messages required to complete an authentication, message correlation may also be employed post-authentication such that a prior authentication result or session may be applied to a subsequent invocation. Modules are expected to perform their message correlation function based on the parameters of their invocation and with the benefit of any additional facilities provided by the invoking runtime (for example, through their CallbackHandler).

To assist modules in performing their correlation function, calls made to validateResponse must be made with the same messageInfo object used in the call to secureRequest (or validateResponse) that elicited the response. Similarly, calls made to secureResponse must be made with the same messagInfo object that was passed to validateRequest (for the corresponding request message). Modules are also expected to avail themselves of persisted state management facilities (for example, jakarta.servlet.http.HttpSession facilities) provided by the invoking runtime. The use of such facilities prior to authentication may increase the system’s susceptibility to a denial-of-service attack, and their use by authentication modules should be considered in that regard.

For security mechanisms or protocols where message correlation is dependent on the content of exchanged messages, it is the responsibility of the authentication modules to ensure that the required correlation information is inserted in the exchanged messages. For security mechanisms where message correlation is dependent on context external to the exchanged messages, such as the transport connection or session on which messages are received, the authentication modules will be dependent on correlation related facilities provided by the runtime.

This version of this specification does not define the interfaces by which runtimes present correlation facilities to authentication modules.

1.1.8. Callbacks for Information From the Runtime

Authentication modules may require security information from the message processing environment that invoked them. For example, a ClientAuthModule may require access to the client’s key pair to sign requests made on behalf of the client. The client’s keys would typically have been configured as part of the client application itself. Likewise, a ServerAuthModule may require access to the server’s key pair to sign responses from the server. The server’s keys would typically be configured as part of the server.

To access cryptographic keys or other external security credentials configured as part of the encompassing runtime, an authentication module is provided with a CallbackHandler (at initialization). The CallbackHandler is provided by the encompassing runtime and serves to provide the authentication module with access to facilities of the encompassing runtime.

The module can ask the CallbackHandler to handle requests for security information needed by the module to perform its message authentication processing.

1.1.9. Subjects

When an authentication module is invoked to validate a message, it is passed a Subject object to receive the credentials of the source of the message and a separate Subject object to represent the credentials of the recipient of the message (such that they are available to validate the message). When an authentication module is invoked to validate a message, it communicates the message source or caller authentication identity to its calling runtime (for example, container) through (that is, by modifying) the Subject associated with the source of the message.

Authentication modules may rely on the Subjects as well as the CallbackHandler, described in Section 1.1.8, to obtain the security information necessary to secure or validate messages. When an authentication module is invoked to secure a message, it is passed a Subject object that may convey the credentials of the source of the message (such that they are available to secure the request).

1.1.10. Status Values and Exceptions

Authentication modules and authentication contexts return AuthStatus values to characterize the outcome of their message processing. When an AuthStatus value is returned, its value represents the logical result of the module processing and indicates that the module has established a corresponding request or response message within the MessageInfo parameter exchanged with the runtime.

Authentication modules and authentication contexts throw exceptions when their processing was unsuccessful and when that processing did not establish a corresponding request or response message to convey the error.

The vocabulary of AuthStatus values and exceptions returned by authentication modules, and their mapping to the message processing points at which they may be returned, is represented in the following table.

Table 1-1 AuthStatus and AuthException to Message Processing Point Matrix
status or exception secureRequest validateRequest secureResponse validateResponse

SUCCESS

Yes

Yes

FAILURE

Yes

Yes

SEND_SUCCESS

Yes

Yes

Yes

SEND_FAILURE

Yes

Yes

SEND_CONTINUE

Yes

Yes

Yes

Yes

AuthException

Yes

Yes

Yes

Yes

The following table describes the high level semantics associated with the status values and exceptions presented in the preceding table.

Table 1-2 AuthStatus and AuthException Semantics
status or exception semantic

SUCCESS

Validation of a received message was successful and produced either the request (validateRequest) message to be dispatched to the service, or the response (validateResponse) message to be returned to the client application.

FAILURE

A failure occurred on the client-side (secureRequest or validateResponse) and produced a failure response message to be returned to the client application.

SEND_SUCCESS

Processing of a request (secureRequest or validateRequest) or response (secureResponse) message was successful and produced the request (secureRequest) or response (validateRequest, secureResponse) message to be sent to the peer.

SEND_FAILURE

A failure occurred on the service-side (validateRequest or secureResponse) and produced a failure response message to be sent to the client.

SEND_CONTINUE

Processing was incomplete. Additional message exchanges will be required to achieve successful completion. The processing produced the next request (secureRequest or validateResponse) or response (validateRequest or secureResponse) message to be sent to the peer.

AuthException

A failure occurred on the client-side (secureRequest or validateResponse) or service-side (validateRequest or secureResponse) without producing a failure response message.

The expected behavior of runtimes in response to AuthStatus return values and AuthException exceptions is described in See What the Runtime Must Do. These behaviors may be specialized in profiles of this specification.

1.2. Typical Runtime Use Model

In the typical use model, a runtime would perform the five steps defined in the following subsections to secure or validate a message. In many cases, some or all of steps 1-4 will be performed once, while step 5 would be repeated for each message to be processed.

1.2.1. Acquire AuthConfigProvider

The message processing runtime acquires a provider of authentication context configuration objects for the relevant messaging layer and application identifier. This step is typically done once for each application, and may be accomplished as follows:

AuthConfigFactory factory = AuthConfigFactory.getFactory();
AuthConfigProvider provider = factory.getConfigProvider(layer, appID, listener);

1.2.2. Acquire AuthConfig

The message processing runtime acquires the authentication context configuration object for the application from the provider. This step is typically done at application deployment, and may be accomplished as follows:

ClientAuthConfig clientConfig =
    provider.getClientAuthConfig(layer, appID, callbackHandler);

or:

ServerAuthConfig serverConfig =
    provider.getServerAuthConfig(layer, appID, callbackHandler);

The resulting authentication context configuration object encapsulates all authentication contexts for the application at the layer. Its internal state will be kept up to date by the configuration system, and from this point until the application is undeployed, the configuration object represents a stable point of interaction between the runtime and the integrated authentication mechanisms for the purpose of securing the messages of the application at the layer.

A callback handler is associated with the configuration object when it is obtained from the provider. This callback handler will be passed to the authentication modules within the authentication contexts acquired from the configuration object. The runtime provides the callback handler so that the authentication modules may employ facilities of the messaging runtime (such as keying infrastructure) in their processing of application messages.

1.2.3. Acquire AuthContext Identifier

At points (1) and (2) in the message processing model, a message processing runtime creates a MessageInfo object and sets within it the message or messages being processed. The runtime uses the MessageInfo to acquire the authentication context identifier corresponding to the message from the authentication configuration object. This step is typically performed for every different [2] request and may be accomplished by a runtime as follows:

String authContextID = clientConfig.getAuthContextID(messageInfo);

or:

String authContextID = serverConfig.getAuthContextID(messageInfo);

The authentication context identifier will be used to select the authentication context with which to perform the message processing. In cases where the configuration system cannot determine the context identifier [3], the value null will be returned.

1.2.4. Acquire Authentication Context

The authentication identifier is used to acquire an authentication context from the authentication context configuration object. The acquired authentication context encapsulates the one or more authentication modules that are to be invoked to process the identified messages. The authentication context is acquired from the authentication context configuration object as follows:

ClientAuthContext clientContext =
    clientConfig.getAuthContext(authContextID, clientSubject, properties);

or:

ServerAuthContext serverContext =
    serverConfig.getAuthContext(authContextID, serviceSubject, properties);

The properties argument is used to pass additional initialization time properties to the authentication modules encapsulated in the authentication context. Such properties might be used to convey values specific to this use of the context by a user or with a specific service.

The Subject argument is used to make the principals and credentials of the sending entity available during the acquisition of the authentication context. If the Subject is not null, additional principals or credentials (pertaining to the sending entity) may be added (to the Subject) during the context acquisition.

1.2.5. Process Messages

Appropriate to its point of processing in the messaging model, the messaging runtime uses the MessageInfo described in Step 3 to invoke a method of the authentication context obtained in Step 4.

At point (1) in the messaging model, the`clientSubject` may contain the credentials used to secure the request, or the modules of the context may collect the client credentials including by using the callback handler passed through to them by the context. MessageInfo would contain a request message about to be sent. On successful return from the context, the runtime would extract the secured request message from messageInfo and send it.

(1) AuthStatus status = clientContext.secureRequest(messageInfo, clientSubject);

At point (2), the clientSubject receives any principals or credentials established as a result of message validation by the authentication modules of the context. The serviceSubject may contain the credentials of the service or the modules of the context may collect the service credentials, as necessary, by using the callback handler passed to them by the context. MessageInfo would contain a received request message. On successful return from the context, the runtime may use the clientSubject to authorize and dispatch the validated request message, as appropriate.

(2) AuthStatus status = serverContext.validateRequest(messageInfo, clientSubject, serviceSubject);

At point (3), the serviceSubject may contain the credentials used to secure the response, or the modules of the context may collect the service credentials including by using the callback handler passed through to them by the context. The MessageInfo would contain a response message about to be sent and may also contain the corresponding request message received at point (2). On return from the context, the runtime would send the secured response message.

(3) AuthStatus status = serverContext.secureResponse(messageInfo, serviceSubject);

At point (4), the serviceSubject receives any principals or credentials established as a result of message validation by the authentication modules of the context. The clientSubject may contain the credentials of the receiving client or the modules of the context may collect the client credentials, as necessary, by using the callback handler passed to them by the context. MessageInfo would contain a received response message and may also contain the associated request message sent at point (1). On successful return from the context, the runtime may use the serviceSubject to authorize the response and would return the received message to the client, as appropriate.

(4) AuthStatus status =
        clientContext.validateResponse(messageInfo, clientSubject, serviceSubject);

1.3. Terminology

authentication context

A Java Object that implements the ClientAuthContext and/or ServerAuthContext interfaces and that is responsible for constructing, initializing, and coordinating the invocation of one or more encapsulated authentication modules. Authentication context objects are classified as client or server authentication contexts.

authentication context configuration

A Java Object that implements the AuthConfig Interface and that serves as the source of client or server authentication context objects pertaining to the processing of messages for an application at a messaging layer.

authentication context configuration provider

A Java Object that implements the AuthConfigProvider Interface and that serves as the source of authentication context configuration objects.

authentication module

A Java Object that implements the ClientAuthModule and/or ServerAuthModule message authentication interfaces defined by this specification.

authentication provider

A synonym for an authentication module.

client authentication context

An authentication context that implements the ClientAuthContext interface and that encapsulates client authentication modules.

client authentication context configuration

An authentication context configuration that implements the ClientAuthConfig interface and that returns client authentication contexts.

client authentication module

A Java Object that implements the ClientAuthModule interface defined by this specification.

message layer

The name associated within a message processing runtime with a messaging protocol or abstraction, and which may be used in the interfaces defined by this specification to cause the integration of security mechanisms at the corresponding points within the messaging runtime.

message processing runtime

The process or component (for example, container) responsible for sending and receiving, including establishing the transports used for such purposes, the application messages to be secured using the interfaces defined by this specification. Message processing runtimes are characterized as client, server, or as both client and server message processing runtimes. A client message processing runtime sends service requests and receives service responses. A server message processing runtime receives service requests and sends service responses.

message (layer) security

A network security mechanism that operates above the transport and below the application messaging layers, and that typically operates by encapsulating or associating application layer messages within a securing context that may be independent of the transport or connection over which the messages are communicated.

meta message

A mechanism specific message sent in addition to (for example, in an advance of) the application messages, typically for the purpose of establishing or modifying the context (such as security) in which application messages will be exchanged.

server authentication context

An authentication context that implements the ServerAuthContext interface and that encapsulates server authentication modules.

server authentication context configuration

An authentication context configuration that implements the ServerAuthConfig interface and that encapsulates client authentication context.

server authentication module

A Java Object that implements the ServerAuthModule interface defined by this specification.

1.4. Assumptions

The following assumptions apply to the interfaces defined by this specification:

  1. This specification defines interfaces for integrating message layer security functionality in Java messaging runtimes. These interfaces are intended to be employed by Jakarta Enterprise Edition (Jakarta EE version 9 and beyond) messaging runtimes, and by any Java messaging runtime that chooses to use them to support integration of message layer security functionality.

  2. The interfaces defined by this specification have been developed for use within the message processing runtimes of service consumers (for example, clients) and service providers (for example, servers).

  3. Interoperability between a message processing runtime that employs the interfaces defined by this specification and any other system will depend on the formats of the exchanged messages, not on the interfaces used to process them.

  4. This specification will define profiles to establish the requirements governing the use of its interfaces within specific messaging contexts or runtimes. Additional profiles may be defined in futures releases of this specification, or external to it.

  5. This specification promotes authentication modules as the pluggable unit of message layer security functionality. In the typical integration scenario, a new message layer security mechanism is integrated in a message processing runtime as the result of the configuration of a new authentication module.

  6. Mechanisms that feature or require more complex or specialized configuration functionality may depend on integration of a corresponding configuration provider which may encapsulate authentication module pluggability, including such that it occurs as the result of provider configuration.

  7. A message processing runtime that uses the interfaces defined by this specification will remain responsible for sending and receiving, including establishing the transports used for such purposes, the application messages secured through these interfaces. The integrated security mechanism code is responsible for adding security constructs to messages to be sent, and for interpreting security constructs contained in received messages.

  8. As needed to perform its primary function (that is, to add to and validate security constructs in messages provided to it by its messaging runtime), an authentication mechanism integrated through the interfaces defined in this specification may use its own facilities or those of its calling runtime to exchange additional messages with the same or with other parties.

  9. Some multi-message authentication dialogs require that the sending runtime be able to delay or retry application message transmission until after a preliminary authentication dialog has completed. Where a sending runtime is unable to perform such functionality, effective integration of a dependent security mechanism may require that the integrated security facilities perform the required delay and retry functionality.

  10. Authentication mechanisms integrated in a messaging runtime through the interfaces defined by this specification may require access to sensitive security information (for example, cryptographic keys) for which access may have otherwise been limited to the messaging runtime.

  11. Independent of message transformations performed by one or more integrated security mechanisms, the client messaging runtime must remain capable of associating received responses with sent requests.

1.5. Requirements

The interfaces defined by this specification must comply with the following:

  1. Be compatible with versions of Java beginning with 1.8.

  2. Be compatible with a wide range of messaging protocols and runtimes.

  3. Support the integration and configuration of message security mechanisms in Java message processing runtimes that retain responsibility for the transport of application layer messages.

  4. Provide integrated authentication mechanisms with access to the application messages transported by the messaging runtime, especially for the purpose of adding or validating contained security credentials.

  5. Define a means for an integrated security mechanism to establish (for example, application layer) response messages as necessary to implement security mechanisms.

  6. Define a means for an integrated security mechanism to effect the destination address of outgoing messages.

  7. Support the binding of received messages to configured security mechanisms at various levels of granularity such as per messaging runtime, per messaging layer, per application, and per message.

  8. Support the integration of alternative security mechanism configuration facilities as required to support specific security mechanisms or to integrate into standard or existing configuration infrastructures.

  9. Support the runtime binding of user or application client credentials to invocations of authentication modules.

  10. Support the establishment of Subject based authorization identities by integrated authentication mechanisms.

  11. Define a means for integrated security mechanisms to gain access to facilities (for example, key repositories, password databases, and subject or principal interpretation interfaces) of their calling messaging runtime.

  12. Facilitate the correlation of the associated request and response processing performed by an authentication module.

  13. Support runtime parameterization of security mechanism invocation such that a single mechanism configuration can be employed to secure commonly protected exchanges with different service entities.

  14. Support the apportionment of responsibility for creation and maintenance of stateful security contexts among a messaging runtime and its integrated security mechanisms, especially such that context invalidation (including as a result of policy modification) by either party is appropriately detected by the other.

  15. Support the portable implementation (including by third parties) of security mechanisms such that they may be integrated in any messaging runtime which is compatible with the corresponding interfaces of this specification.

1.5.1. Non Requirements

  1. The standardization of specific principals or credentials to be added by authentication modules to subjects.

  2. The standardization of additional interfaces or callbacks to allow JAAS login modules to secure the request and response messages exchanged by Jakarta EE containers.

  3. The standardization of interfaces to interact with network authentication services, or to represent the security credentials acquired from such services.

  4. The standardization of application programming interfaces for use in establishing or manipulating security contexts in Subjects.

2. Message Authentication

This chapter defines how message processing runtimes invoke authentication modules to secure or validate request and response messages. It describes the interactions that occur between message processing runtimes and authentication modules to cause security guarantees to be enforced on request and response messages.

The subsections of this chapter establish the common requirements that pertain to the use of this specification in a generic message processing context. Profiles are expected to be defined to establish the specific requirements pertaining to the use of this specification in a particular message processing context.

The API defined by this specification is intended to have more general applicability than the contexts of use defined in this specification. To that end, a runtime that provides compatible Java definitions of the interfaces defined by this specification and compatible Java implementations of the defined classes satisfies the baseline compatibility requirements of this specification.

2.1. Authentication

As defined in Section 1.2 a message processing runtime’s interaction with the interfaces defined by this specification is divided into the following five phases:

  1. Acquire AuthConfigProvider – Runtime acquires a provider of authentication context configuration objects for the relevant messaging layer and application identifier.

  2. Acquire AuthConfig – Runtime acquires the authentication context configuration object for the application from the provider.

  3. Acquire AuthContext Identifier – Runtime acquires the authentication context identifier corresponding to the messages to be processed.

  4. Acquire Authentication Context – Runtime uses the context identifier to obtain the corresponding authentication context.

  5. Process Message(s) – Runtime uses the authentication context to process the messages.

The remaining sections of this chapter define the requirements that must be satisfied by messaging runtimes and providers in support of each of the five interactions identified above.

2.1.1. Acquire AuthConfigProvider

2.1.1.1. What the Runtime Must Do

For a message processing runtime to be able to invoke authentication modules configured according to this specification, the JVM of the message processing runtime must have been configured or initialized such that it has loaded the abstract AuthConfigFactory class, and such that the getFactory method of the abstract class (loads, as necessary, and) returns a concrete implementation of AuthConfigFactory. When called by the messaging runtime with layer and appContext arguments, the getConfigProvider method of the returned factory implementation must return the corresponding (as a result of configuration or registration) AuthConfigProvider object (or null if no provider is configured for the arguments).

This specification defines authorization protected configuration interfaces, and a message processing runtime must support the granting, to applications and administration utilities, of the permissions required to employ these configuration interfaces.

A message processing runtime that wishes to invoke authentication modules configured according to this specification must use the AuthConfigFactory.getFactory method to obtain a factory implementation. The runtime must invoke the getConfigProvider method of the factory to obtain the AuthConfigProvider. The runtime must specify appropriate (non-null) layer and application context identifiers in its call to getConfigProvider. The specified values must be as defined by the profile of this specification being followed by the messaging runtime.

A runtime may continue to reuse a provider for as long as it wishes. However, a runtime that wishes to be notified of changes to the factory that would cause the factory to return a different provider for the layer and appContext arguments should include a (non-null) RegistrationListener as an argument in the call used to acquire the provider. When a listener argument is included in the call to acquire a provider, the factory will invoke the notify method of the listener when the correspondence between the provider and the layer and application context for which it had been acquired is no longer in effect. When the notify method is invoked by the factory, the runtime should reacquire an AuthConfigProvider for the layer and application context.

2.1.1.2. What the Factory Must Do

The factory implementation must satisfy the requirements defined by the AuthConfigFactory class. In particular, it must offer a public, zero argument constructor that supports the construction and registration of AuthConfigProvider objects from a persistent declarative representation.

2.1.2. Acquire AuthConfig

2.1.2.1. What the Runtime Must Do

Once the runtime has obtained the appropriate (non-null) AuthConfigProvider, it must obtain from the provider the authentication context configuration object corresponding to the messaging layer, its role as client or server, and the application context for which it will be exchanging messages. It does this by invoking getClientAuthConfig or getServerAuthConfig as appropriate to the role of the runtime in the message exchange. A runtime operating at points 1 and 4 in the messaging model must invoke getClientAuthConfig to acquire its configuration object. A runtime operating at points 2 and 3 in the messaging model must invoke getServerAuthConfig to acquire its configuration object. The call to acquire the configuration object must specify the same values for layer and application context identifier that were used to acquire the provider. Depending on the profile of this specification being followed by the messaging runtime, a CallbackHandler may also be a required argument of the call to acquire the configuration object. When a profile requires a CallbackHandler, the profile must also specify the callbacks that must be supported by the handler.

A runtime may continue to reuse an acquired authentication context configuration object for as long as it is acting as client or server of the corresponding application. A runtime should reacquire an authentication context configuration object when it is notified (through a RegistrationListener) that it must reacquire the AuthConfigProvider from which the configuration object was acquired (and after having reacquired the provider).

2.1.2.2. What the Provider Must Do

The provider implementation must satisfy the requirements defined by the AuthConfigProvider interface. In particular, it must return non-null authentication configuration objects. Moreover, when the provider is a dynamic configuration provider, any change to the internal state of the provider occurring as the result of a call to its refresh method must be recognized by every authentication context configuration object obtained from the provider.

The provider implementation must provide a configuration facility that may be used to configure the information required to initialize authentication contexts for the (one or more) authentication context configuration scopes (defined by layer and application context) for which the provider is registered (at the factory).

To allow for delegation of session management to authentication contexts and their contained authentication modules, it must be possible for one or more of the authentication context configuration scopes handled by an AuthConfigProvider to be configured such that the getAuthContext method of the corresponding authentication context configuration objects will return a non-null authentication context for all authentication context identifier values, independent of whether or not the corresponding messages require protection. In this case, contexts returned for messages for which protection is NOT required must initialize their contained authentication modules with request and/or response MessagePolicy objects for which isMandatory() returns false (while allowing for the case where one of either request or response policy may be null).

A sample and perhaps typical context initialization model is described in Section 2.1.4.2. Providers must offer a configuration facility sufficient to sustain the typical context initialization model.

2.1.3. Acquire AuthContext Identifier

2.1.3.1. What the Runtime Must Do

At points (1) and (2) in the messaging model, the message processing runtime must obtain the authentication context identifier corresponding to the request message processing being performed by the runtime.

The identifier may be acquired by calling the getAuthContextID method of the authentication context configuration object (obtained in the preceding step). If the messaging runtime chooses to obtain the context identifier by this means, it must provide a MessageInfo object as argument to the getAuthContextID call, and the MessageInfo must have been initialized such that its getRequestMessage method will return the request message being processed by the runtime. The type of the returned request message must be as defined by the profile of this specification being followed by the messaging runtime.

Alternatively and depending on the requirements relating to authentication context identifier inherent in the profile being followed by the messaging runtime, the runtime may obtain the identifier by other means. Where a profile defines or facilitates other means by which a messaging runtime may acquire the identifier, the identifier acquired by any such means must be equivalent to the identifier that would be acquired by calling getAuthContextID as described above.

2.1.3.2. What the Configuration Must Do

The configuration implementation must satisfy the requirements defined by the AuthConfig interface with respect to the getAuthContextID method.

2.1.4. Acquire Authentication Context

2.1.4.1. What the Runtime Must Do

At points (1) and (2) in the messaging model, the message processing runtime must invoke the getAuthContext method of the authentication context configuration object (obtained in step 2) to obtain the authentication context object corresponding to the message that is to be processed. This is accomplished by invoking getAuthContext with the authentication context identifier corresponding to the request message and obtained as described above. If required by the profile of this specification being followed by the runtime, the call to getAuthContext must pass a Map containing the required property elements. The value of the Subject argument provided by the runtime in its call to getAuthContext must correspond to the requirements of the profile of this specification being followed by the runtime.

Once an authentication context is acquired, it may be reused to process subsequent requests of the application for which an equivalent authentication context identifier, Subject, and properties Map (as used in the getAuthContext) applies. Runtimes that wish to be dynamic with respect to changes in context configuration should call getAuthContext for every request. An authentication context configuration object may return the same authentication context object for different authentication context identifiers for which the same module configuration and message protection policy applies.

At points (3) and (4) in the messaging model, the runtime may repeat the context acquisition performed at point (2) and (1) respectively, or it may reuse the previously acquired context.

2.1.4.2. What the Configuration Must Do

The configuration implementation must satisfy the requirements defined by the corresponding ClientAuthConfig or ServerAuthConfig interface with respect to the getAuthContext method. In this regard, the configuration implementation must determine the authentication modules that are to comprise the acquired context, and it must provide the context implementation with sufficient information to initialize the modules of the context. The getAuthContext method must return null when no authentication modules are to be invoked for an identified authentication context at the layer and application context represented by the configuration object.

The interfaces by which an authentication context configuration object obtains a properly configured or initialized authentication context object are implementation-specific. That said, it is expected that the typical context initialization will require the following information:

  • The CallbackHandler (if any) to be passed to the modules of the context

  • A list of one or more module configurations (one for each module of the context), and where each such configuration conveys (either directly or indirectly) the following information:

    • The implementation class for the authentication module (that is, an implementation of the ClientAuthModule or ServerAuthModule interface as appropriate to the type of the containing context)

    • The module specific initialization properties (in a form compatible with conveyance to the module by using a Map)

    • The request and response MessagePolicy objects for the module

    • The context-specific control attributes to be used by the context to coordinate the invocation of the module with respect to the other modules of the context

To sustain the above requirements, the AuthConfigProvider from which the authentication context configuration object was acquired must provide a configuration facility by which the information required to initialize authentication contexts may be configured and associated with one or more authentication context identifiers within the (one or more) layer and application context scopes for which the provider is registered (at the factory).

2.1.5. Process Messages

2.1.5.1. What the Context Must Do

Every context implementation must satisfy the requirements as defined by the corresponding ClientAuthContext or ServerAuthContext interface.

Every context is responsible for constructing and initializing the one or more authentication modules assigned to the context by the authentication context configuration object. The initialization step includes passing the relevant request and response MessagePolicy objects to the authentication modules. These policy objects may have been acquired by the authentication context configuration object and provided as arguments through the internal interfaces used by the configuration object to acquire the context.

Every context must delegate calls made to the methods of its corresponding ClientAuth or ServerAuth interface to the corresponding methods of its one or more authentication modules. If a context encapsulates multiple authentication modules, the context must embody the control logic to determine which modules of the context are to be invoked and in what order. Contexts which encapsulate alternative sufficient modules must ensure that the same message values are passed to each invoked alternative of the context. If a context invokes multiple authentication modules, the context must combine the AuthStatus values returned by the invoked authentication modules to establish the AuthStatus value returned by the context to the messaging runtime. The context implementation must define the logic for combining the returned AuthStatus values.

2.1.5.2. What the Runtime Must Do

If a non-null authentication context object is returned by getAuthContext, the corresponding message processing runtime must invoke the methods of the acquired authentication context to process the corresponding request and response messages as defined below. Otherwise, the message processing runtime must proceed with its normal processing of the corresponding messages and without invoking the methods of an authentication context object.

At point (1) in the message processing model:

  • The message processing runtime must call the secureRequest method of the ClientAuthContext.

  • The messageInfo argument to the call must have been initialized such that its getRequestMessage method will return the request message being processed by the runtime. The type of the returned request message must be as defined by the profile being followed.

  • If a non-null Subject was used to acquire the ClientAuthContext, the same Subject must be passed as the clientSubject in this call. If a non-null clientSubject is used in this call, it must not be read-only, and the same clientSubject argument must be passed in all calls to validateResponse made for the one or more responses processed to complete the message exchange.

  • If the call to secureRequest returns:

    • AuthStatus.SEND_SUCCESS – The runtime should send (without calling secureRequest) the request message acquired by calling messageInfo.getRequestMessage. After sending the request, the runtime should proceed to point (4) in the message processing model (to receive and validate the response).

    • AuthStatus.SEND_CONTINUE – The module has returned, in messageInfo, an initial request message to be sent. Moreover, the module is informing the client runtime that it will be required to continue the message dialog by sending the message resulting from validation of the response to the initial message. If the runtime will be unable to continue the dialog by sending the message resulting from validation of the response, the runtime must not send the initial request and must convey its inability by returning an error to the client application. Otherwise, the runtime should send (without calling secureRequest) the request message acquired by calling messageInfo.getRequestMessage.

    • AuthStatus.FAILURE – The runtime should return an error to the client application. The runtime should derive the returned error from the response message acquired by calling messageInfo.getResponseMessage.

    • Throws an AuthException – The runtime should use the exception to convey to the client runtime that the request failed.

At point (4) in the message processing model:

  • The message processing runtime must call the validateResponse method of the ClientAuthContext.

  • In the call made to validateResponse, the runtime must pass the same MessageInfo instance that was passed to secureRequest (at the start of the message exchange). The messageInfo argument must have been initialized such that its getResponseMessage method will return the response message being processed by the runtime.The type of the required return messages must be as defined by the profile being followed.

  • The value of the clientSubject argument to the call must be the same as that passed in the call to secureRequest for the corresponding request.

  • The serviceSubject argument to the call may be non-null, in which it must not be read-only and may be used by modules to store Principals and credentials determined to pertain to the source of the response.

  • If the call to validateResponse returns:

    • AuthStatus.SUCCESS – The runtime should use the response message acquired by calling messageInfo.getResponseMessage to create the value to be returned to the client.

    • AuthStatus.SEND_CONTINUE – If the runtime is unable to process this status value, it must return an error to the client application indicating its inability to process this status value. To process this status value, the runtime must send (without calling secureRequest) the (continuation) request message obtained by calling messageInfo.getRequestMessage, and it must receive and process by using validateResponse (at least) the next corresponding response or error (before returning a value to the client).

    • AuthStatus.FAILURE – The runtime should return an error to the client application. The runtime should derive the returned error from the response message acquired by calling messageInfo.getResponseMessage.

    • Throws an AuthException – The runtime should use the exception to convey to the client runtime that the request failed.