When I started working on this problem, I found the relation of these four terms confusing. I will briefly explain them as far as I understand them. I've also linked each term with its Wikipedia entry.


A software suite that allows secure authentication across an insecure network. This means that authentication is possible but credentials cannot be obtained by an attacker monitoring network traffic. Kerberos also provides encrypted communications over an insecure network.

GSSAPI (Generic Security Services Application Program Interface).

An API that allows clients and servers to mutually authenticate each other and (optionally) pass encrypted messages to each other. GSSAPI is implementation-independent and can be used with Kerberos as such an implementation. In practice GSSAPI and Kerberos refer to the same thing, however, since Kerberos seems to be the only existing implementation.

SASL (Simple Authentication and Security Layer)

Similar to GSSAPI, it is an API that allows for mutual authentication and (optionally) encryption. One such implementation is called GSSAPI, so SASL can be seen as sitting "on top" of GSSAPI. I found that I did not need to interact with GSSAPI directly at all. SASL is part of the the Java Standard Edition. If you want to use encryption, you need to install and configure the Java security extension known as Java Cryptography Extension (JCE). JCE enables the more robust encryption required by Kerberos within the Java Authentication and Authorization Service (JAAS). The JCE that needs to be installed is specific to the version of Java you are running.

JAAS (Java Authentication and Authorization Service)

This is a Java-specific API that interacts with SASL but is distinct from it. The Zookeeper integration described here uses the JAAS configuration file format and the SASL APIs. There is no additional dependencies needed to use JAAS since it has been part of the the Java Standard Edition since 1.4.

  • No labels