Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management

The Generic Security Services API (GSS-API) is a standardized API developed by the Internet Engineering Task Force (IETF) to provide a generic authentication and secure messaging interface that supports a variety of pluggable security mechanisms. The GSS-API is also designed to insulate its users from the underlying security mechanisms by allowing the development of application authentication using a generic interface. GSS-API Version 2 is also defined in a language-independent format.

Sun introduced the Java GSS-API (JGSS) as an optional security package for J2SE 1.4 that provides the Java bindings for the GSS-API. This allows development of applications that enable uniform access to security services over a variety of underlying authentication mechanisms, including Kerberos.

Comparing JGSS with JSSE and JAAS

JGSS-API shares many features with JAAS and JSSE, particularly with regard to client-server authentication, data encryption, and integrity. However, there are some distinguishable differences you should be aware of before choosing JGSS as an appropriate mechanism to use:

• Single Sign-On Support: JGSS contains support for Kerberos as the key authentication mechanism, which allows building single sign-on, thus avoiding multiple user login requirements using Kerberos.

• Communication: JGSS is a token-based API that relies on the application to handle the communication. This allows an application to use the transport protocols of its choice, such as TCP sockets, UDP datagrams, or any other transport for communicating JGSS-generated tokens. JSSE provides a socket-based API and allows applications to communicate using TCP sockets only.

• Credential Delegation: Using Kerberos mechanisms, JGSS allows the client to delegate its credentials to the server applications deployed in a multi-tier environment. JAAS also supports similar delegation support using Kerberos mechanisms.

• Encryption: JGSS is token-based and also allows a choice of encryption types depending upon the application needs to intersperse plaintext and ciphertext messages. This feature is not supported by other Java security APIs.

The Java GSS-API classes and interfaces are available in the org.ietf.jgss.* package, available as part of J2SE 1.4. Kerberos V5 GSS-API is available as the default instance of org.ietf.jgss.GSSManager. To use JGSS, it is necessary to have an installation of Kerberos realm and also a Kerberos Key Distribution Center (KDC). The KDC is part of a Kerberos installation and is not provided with J2SE bundle.

For more information about using JGSS with Kerberos, refer to http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/single-signon.html.