15th Annual Computer Security Applications Conference
December 6-10, 1999
Phoenix, Arizona


Charlie Lai, charlie@angeles.eng.sun.com, Sun Microsystems
Li Gong, li.gong@sun.com, Sun Microsystems
Larry Koved, koved@us.ibm.com, IBM Corporation
Anthony Nadalin, drsecure@us.ibm.com, IBM Corporation
Roland Schemers, schemers@onebox.com, onebox.com

Java(TM) security technology originally focused on creating a safe environment in which to run potentially untrusted code downloaded from the public network. With the latest release of Java(TM) 2 (also known as JDK 1.2), fine-grained access controls can be placed upon critical resources with regard to the identity of the running applets and applications, which are distinguished by where the code came from and who signed it. However, the Java platform still lacks the means to enforce access controls based on the identity of the user who runs the code. In this paper, we describe the design and implementation of the Java(TM) Authentication and Authorization Service (JAAS), a framework and programming interface that augments the Java(TM) platform with both user-based authentication and access control capabilities.