Here are some of the links I used to help understand JAAS:

以下是我用来帮助理解 JAAS 的一些链接：

http://www.owasp.org/index.php/JAAS_Tomcat_Login_Module

http://www.owasp.org/index.php/JAAS_Tomcat_Login_Module

http://www.javaworld.com/jw-09-2002/jw-0913-jaas.html

http://www.javaworld.com/jw-09-2002/jw-0913-jaas.html

http://jaasbook.wordpress.com/

http://jaasbook.wordpress.com/

http://roneiv.wordpress.com/2008/02/18/jaas-authentication-mechanism-is-it-possible-to-force-j_security_check-to-go-to-a-specific-page/

http://roneiv.wordpress.com/2008/02/18/jaas-authentication-mechanism-is-it-possible-to-force-j_security_check-to-go-to-a-specific-page/

Also have a look at the Apache tomcat realms configuration how-to:

另请查看 Apache tomcat 领域配置方法：

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

For a purely JAAS tutorial check out this. It's old but should help with the JAAS basics.

对于纯粹的 JAAS 教程，请查看此。它很旧，但应该有助于 JAAS 基础知识。

I can't speak too much to JAAS itself, but this "suggested steps" guideon Spring Security and the reference manualare both pretty good resources on Spring Security - if your setup is anything close to simple, you don't really need to do much more than read these.

我不能对 JAAS 本身说太多，但是这个关于 Spring Security 的“建议步骤”指南和参考手册都是关于 Spring Security 的非常好的资源——如果你的设置接近简单，你真的不需要做的不仅仅是阅读这些。

Other users have provide some very useful links above so I am not going to bother with links. I have done a similar research in JAAS for web application and has ran into a "mind roadblock" until I finally realize JAAS is a framework tackling security at a different "layer" then web applications in the Java World. It is build to tackle security issues in Java SE not Java EE.

其他用户在上面提供了一些非常有用的链接，所以我不打算打扰链接。我在 JAAS 中对 Web 应用程序进行了类似的研究，并遇到了“思想障碍”，直到我最终意识到 JAAS 是一个框架，在与 Java 世界中的 Web 应用程序不同的“层”上解决安全问题。它旨在解决 Java SE 而非 Java EE 中的安全问题。

JAAS is a security framework built for securing things at a much lower level then web-application. Some example of these things are code and resources available at the JVM level, hence all these ability to set policy files in the JVM level.

JAAS 是一个安全框架，用于在比 Web 应用程序低得多的级别上保护事物。这些东西的一些例子是 JVM 级别可用的代码和资源，因此所有这些都可以在 JVM 级别设置策略文件。

However, since Java EE is built on top of Java SE, a few modules from JAAS were reused in Java EE security such as the LoginModules and Callbacks.

但是，由于 Java EE 构建在 Java SE 之上，因此在 Java EE 安全性中重用了一些来自 JAAS 的模块，例如 LoginModules 和 Callbacks。

Note that in addition to Java EE security, there is also Spring security (formerly known as Acegi), which similar to native Java EE security tackles a much higher "layer" in the securing web-application problem. It is a separate security implementation and is not built on top of standard Java EE security, although it behaves similarly in many regards.

请注意，除了 Java EE 安全性之外，还有 Spring 安全性（以前称为 Acegi），它类似于原生 Java EE 安全性，在保护 Web 应用程序问题中解决了更高的“层”。它是一个单独的安全实现，并非建立在标准 Java EE 安全之上，尽管它在许多方面的行为相似。

To summarize, unless you are looking to secure resources in the Java SE level (classes, System resources), I don't see any real use of JAAS other than the using the common class and interfaces. Just focus on using Spring Security or plain old Java EE security which both solve a lot of common web application security problems.

总而言之，除非您希望保护 Java SE 级别的资源（类、系统资源），否则除了使用通用类和接口之外，我看不到 JAAS 的任何实际用途。只需专注于使用 Spring Security 或普通的旧 Java EE 安全性，它们都解决了许多常见的 Web 应用程序安全问题。

javax.security is imho overcomplicated API. As a result there are implementors of not only LoginModules, but the entire authentication and authorization api, that creates abstraction layer above, like Authentication & Authorization managers.

javax.security 是恕我直言过于复杂的 API。因此，不仅有 LoginModules 的实现者，还有整个认证和授权 API 的实现者，它们在上面创建了抽象层，如身份验证和授权管理器。

For starters, it is good to print thisinto your memory.

对于初学者来说，这是好事，打印本到你的记忆。

Secondly, imho the most simple, setup & go library for JAAS is Jboss PicketBox. It says how to do authentication and authorization via JBossAuthenticationManager and JBossAuthorizationManager ... Easily configurable via XML or Annotations. You can use it for managing both webapps and standalone applications.

其次，恕我直言，JAAS 最简单的设置和运行库是 Jboss PicketBox。它说明了如何通过 JBossAuthenticationManager 和 JBossAuthorizationManager 进行身份验证和授权......通过 XML 或注释轻松配置。您可以使用它来管理 web 应用程序和独立应用程序。

If you need the authorization part for managing repository access, in terms of ACL for resources, this is what you are looking for sure.

如果您需要管理存储库访问的授权部分，就资源的 ACL 而言，这正是您要寻找的。

Problem with the security is, that usually you need to customize it to your needs, so you may end up implementing :

安全性问题是，通常您需要根据需要对其进行自定义，因此您最终可能会实现：

LoginModule- verifies userName + Password

LoginModule- 验证用户名 + 密码

CallbackHandleris used like this new LoginContext("Sample", new MyCallbackHandler());

CallbackHandler是这样使用的new LoginContext("Sample", new MyCallbackHandler());

CallbackHandler is passed to the underlying LoginModules so they may communicate and interact with users - prompting for a username and password via a graphical user interface, for example. So inside of the Handler you get the username and password from user and it is passed to the LoginModule.

CallbackHandler 被传递给底层的 LoginModules，因此它们可以与用户进行通信和交互 - 例如，通过图形用户界面提示输入用户名和密码。所以在处理程序内部，您从用户那里获得用户名和密码，并将其传递给 LoginModule。

LoginContext- then you just call lc.login(); and authenticate the credentials. LoginContext is populated with the authenticated Subject.

LoginContext- 然后你只需调用 lc.login(); 并验证凭据。LoginContext 填充了经过身份验证的主题。

However Jboss picketbox gives you a really easy way to go, unless you need something specific.

然而，Jboss picketbox 为您提供了一种非常简单的方法，除非您需要特定的东西。

lsiu's answer is one the few answers here that really "get it" ;)

lsiu 的答案是这里为数不多的真正“明白”的答案之一；)

Adding to that answer, a really good reference on this topic is Whatever Happened to JAAS?.

除了这个答案之外，关于这个主题的一个非常好的参考是JAAS 发生了什么？.

It explains how JASPIC is the link in Java EE between the Servlet and EJB security models and potentially a JAAS login module, but that in many cases JAAS' role is reduced to that of a relatively simple username and roles provider in Java EE.

它解释了 JASPIC 如何成为 Java EE 中 Servlet 和 EJB 安全模型以及潜在的 JAAS 登录模块之间的链接，但在许多情况下，JAAS 的角色被简化为 Java EE 中相对简单的用户名和角色提供者的角色。

From the same author is JAAS in the Enterprise, which is an older article but provides a lot of historical background on why the Java SE (JAAS) and Java EE models diverged the way they did.

来自同一作者的JAAS in the Enterprise，这是一篇较旧的文章，但提供了许多历史背景，说明为什么 Java SE (JAAS) 和 Java EE 模型会出现分歧。

Overall but a few types from JAAS are directly used in Java EE, basically Principal, Subject, and CallbackHandler. The latter two are mainly used by JASPIC. I've explained JASPIC in the article Implementing container authentication in Java EE with JASPIC.

总体而言，JAAS 中的一些类型直接用于 Java EE，基本上Principal是Subject、 和CallbackHandler。后两者主要由 JASPIC 使用。我在使用 JASPIC 在 Java EE 中实现容器身份验证一文中解释了 JASPIC。