Java Security Research - Java Authentication and Authorization Services (JAAS)
Java originally only supported client-side security in the form of authorization for code downloaded from the Internet. We were active partners in the definition and development of Java Authentication and Authorization Services (JAAS), an integral part of Java 2 Standard Edition. JAAS extends Java 2 security by adding an authentication framework and additional support for principal (e.g., user-based) authorization within the Java 2 Standard Edition (J2SE) runtime environment. JAAS was a standard extension in J2SE 1.3, and became an integral part of J2SE in version 1.4. JAAS has became the basis for other Java security endeavors.
The motivation for and description of the architecture was presented at the 1999 ACSAC conference (html | postscript).