I can unterstand nobody likes JAAS , include me.
But java.security.Principal , javax.security.auth.Subject are CORE JAAS
So I don't see how to use them without JAAS.
When I look at the choice in Java
Bootom Appendix A )
I can't see, what else can be used for multithreaded jvm.
For me natural choice for security propagation will be GSS-API, which can be used with our
In Addition you gets SSO for free if used with KRB5.
Example HTTP SPNEGO. You get Authentication/Authorization and safe connection without
implementing krb5 yourself.
You Delegate Ticket validation to Java build in JAAS Login Modul
or you tell Java just to use Red Hat GSS native Libs, when Red Hat Server is allready
configured for Kerberos.
One of many reasons I like AS7 & Red Hat Linux and especial Picketbox &
There is lot cool stuff build in in Java 6 and higher… I would take it.
If you don't like it, throw it away, take Interface and make better implementation
yourself later… if you will find time for it :-)