Java Authentication and Authorization Service (JAAS, pronounced “jazz”) is a set of APIs that is used for authenticating the identity of a user or client/computer and ensures that this entity, which is attempting to run Java code, has the proper privileges for the request. JAAS is an extension to the Java platform and was integrated in Java Standard Edition 1.4.
The Java Authentication and Authorization Service is Java’s implementation of the Pluggable Authentication Module (PAM) information security framework standard, which was first proposed by Sun Microsystems in October 1995 in the Open Software Foundation Request for Comments (RFC) 86.0. There was no real ratification of any PAM standard but an attempt was made to standardize it as part of the X/Open UNIX standardization process that later became the X/Open Single Sign-on (XSSO) standard, which was still not ratified. However, this was used as the basis for the JAAS implementation of PAM.
The JAAS process extends the usual security policy into adding privilege specification granted to the user requesting to execute Java code. Like most security processes, JAAS uses authentication and authorization. First it authenticates the requesting entity and determines if it really is who it says it is and finds out what privileges it has been given. Then it checks the type of request against the specification of privileges to determine if it has the authority for such a request. And then it finally gives or denies authorization based on the authentication process.
As an API, JAAS is independent of other Java APIs and can run concurrently with them, even with other security APIs. Because of this, new Java code, technologies and applications may be plugged in with little to no modification required.