Raible Designs

« Symlinking now works... | Main | Day 2 of Writing:... »

Wednesday December 04, 2002

JAAS vs. Container-Managed Security I'm digging into JAAS this afternoon as I enjoy the vacancy of the Winter Break at DU's Penrose Library. Man, what a great school - I used to love it when we'd get off 6 weeks for Christmas Break - from Thanksgiving through January - how sweet is that!?

The reason I'm writing on this cold (32Â°F) afternon is to get some thoughts on JAAS in web applications. I'm giving it about a paragraph of coverage, explaining that it's mainly for declaring authentication and authorization in policy files. Furthermore, it's only invoked when running your application (or Tomcat) with a security manager. However, it's not really needed in web applications because 1) container-managed/web.xml is good enough, and 2) authentication mechanisms never really need to be that fine-grained. Whaddya think? Am I wrong, does it deserve more coverage? Don't most app servers use JAAS under the covers? Posted in General at Dec 04 2002, 10:19:06 AM MST 8 Comments

Comments:

Matt, I think you are underestimating the value of JAAS a fair bit. Suppose you want to authenticate your users against a database table of users/passwords. Without JAAS this is container-specific (sure it works nice in Tomcat, but would you be able to do FORM authentication in WebSphere easily?). We use JAAS in the big application I'm developing and it gives us the freedom to more easily port our application to other containers. What if your application needed to authenticate users (suppose for a portal, not that far fetched, eh?) where each "portlet" had a different authentication scheme: LDAP, Windows NT, database, etc. JAAS is the way to go.

Posted by Erik Hatcher on December 04, 2002 at 03:00 PM MST #

Hmmm, it sounds like I owe JAAS more than a simple paragraph or two then. Now I just need to 1) dig up some good references/examples and 2) make it look easy to implement. This article makes it look like a lot more coding than <em>declaring</em>. Do you know of any simple examples that interface with LDAP or a database?

Posted by Matt Raible on December 04, 2002 at 05:44 PM MST #

Sun has an interesting angle on JAAS in the Sun ONE Appserver. Listed as one of their realms: <code>Customizable realms -- You can build realms for other databases, such as Oracle, to suit your specific needs by using JAAS [Java Authentication and Authorization Service] login modules. Refer to the sample realm in Sun ONE Application Server 7 as a template.</code>

Posted by Matt Raible on December 04, 2002 at 05:56 PM MST #

I found some more goodies: All that JAAS - a JavaWorld article using MySQL. JAASRealm in Tomcat - seemingly undocumented but implemented in 4.1.x. Unfortunately, it's got a hard-coded authenticate method that doesn't make a good example in my eyes.

Posted by Matt Raible on December 04, 2002 at 06:12 PM MST #

Matt, I have experienced some problems in our project, when we tried to tie role-based security to a menu. Just making only those links in the menu available that you are allowed to follow turned out to be a nightmare. An example for this would be helpful, if Struts offers some support for this common-place feature.

Posted by F. Degenaar on December 06, 2002 at 12:15 AM MST #

Have you seen the Struts Menu that I recently posted? This might help you.

Posted by Matt on December 09, 2002 at 06:56 AM MST #

Thanks Matt, That helped a lot. Alas, I am not allowed to publish my implementation of PermissionsAdapter. Best regards Fokko

Posted by F. Degenaar on December 12, 2002 at 10:47 PM MST #

hi,

I want to use jaas with my struts application in sunone 6.1. Can anyone help me with any sample source code? Does sunone 6.1 support jaas?

Thank you

Posted by tushar on January 31, 2006 at 05:15 AM MST #

Sun	Mon	Tue	Wed	Thu	Fri	Sat
« July 2009
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Today

Search This Site

Recent Entries

Tag Cloud

Navigation