Why does uPortal not use JAAS for authentication or authorization?

Owned by Andrew Petro
Last updated: Feb 04, 2007Version comment
1 min read

JAAS enables services to authenticate and enforce access controls upon users, but as currently specified by Sun, it makes many assumptions about how the services which use it will operate for effective use in a portal. JAAS allows authentication modules to be "plugged in" but doesn't allow services to modify the behavior of the system as a whole.

uPortal doesn't operate the way that JAAS assumes because a portal, any portal, must aggregate content and applications from disparate sources. uPortal must have an authentication mechanism that behaves differently than JAAS does because a portal must support single sign-on to applications which have their own, disparate authentication and/or authorization requirements.

The bottom line is that the uPortal developers think that authentication and authorization are currently too tightly coupled within JAAS, and would therefore delay the implementation of single sign-on in uPortal until Sun publishes a later revision of the JAAS specification which decouples them. Perhaps in the future JAAS could provide uPortal with security services, but in it's current state it does not have the flexibility nor the functionality to be incorporated well into uPortal.