Name: me32167 Date: 11/01/99


The latest release of the Java(TM) 2 Software Development Kit,
v 1.3, provides a means to enforce access controls based on
where code came from and who signed it. The need for such
access controls derives from the distributed nature of the
Java(TM) platform, where, for instance, a remote applet
may be downloaded over a public network and then run locally.

The Java 2 platform, however, lacks the means to enforce
similar access controls based on who runs the code.
To provide this type of access control, the Java(TM) 2
security architecture requires additional support for
authentication (determining who's actually running the code),
and extensions to the existing authorization components to
enforce new access controls based on who was authenticated.
The Java(TM) Authentication and Authorization Service (JAAS)
framework augments the Java 2 platform with such support.

The JAAS authentication framework is based on
PAM (Pluggable Authentication Modules),
and therefore supports an architecture that
allows system administrators to plug in the appropriate
authentication services to meet their security requirements.
The architecture also enables applications to remain independent
from the underlying authentication services. Hence as new
authentication services become available or as current services
are updated, system administrators can easily plug them in without
having to modify or recompile existing applications.

The JAAS access control framework extends the Java 2
access control architecture and security policy in a
compatible fashion, and doesn't require modifications to the
SecurityManager. Therefore, existing subclass SecurityManager
implementations will continue to function seamlessly.

The JAAS framework is implemented entirely in Java and
is currently being delivered as an optional package at
http://java.sun.com/products/jaas/

======================================================================