I am using Oracle Weblogic 10.3 and I want to use JAAS authentication. As a
start, I checked the sample code given at
SAMPLES_HOME\server\examples\src\examples\security \jaas.

I have few questions:

1. In SampleClient.java:
-We're first retrieving the authenticated subject :
Subject subject = loginContext.getSubject();
-Then , we perform SampleAction
-Then we call the weblogic.security.Security.Security.runAs(subject,

I noticed that SampleAction and SampleClient are dependent on Weblogic. In
SampleClient, we're calling the weblogic runAS method.
Theoretically, JAAS is independent of the application server. Is there a
way to implement JAAS with Weblogic in a way that it is independent of
I have to run my application on multiple AS (Oracle weblogic 10.3, JBoss).
I want to check if it is possible to write the code once for JAAS (e.g: one
LoginModule) for
both servers ?

2. In the sample given, they are using the
UsernamePasswordLoginModule which is located in Weblogic.jar. And in the
documentation it is said, that if you want to write
your own LoginModule, you must have it call the
weblogic.security.auth.Authenticate.authenticate() method to perform the
Can you explain why please?
In JAAS, it is said that my application-layer code deals primarily with a
LoginContext. Underneath that LoginContext is a set of one or more
dynamically configured LoginModules, which handle the actual authentication
using the appropriate security infrastructure (JndiLoginModule,
In fact, I need to be able to create the JAAS files once for all
application servers (e.g: Weblogic, Jboss). As I noticed from the research I
have done, this is not possible now because we must call the Weblogic
authenticate in the login module.

This said, when using JAAS with Weblogic, I must write JAAS classes for
Weblogic; and when using JAAS with JBoss, I must write JAAS classes for

Is this true? Is there another method to implement JAAS in a way that it
will be totally independent of the Application Server?

Can Someone help please ?