Matt RaibleMatt Raible is a Web Developer and Java Champion. Connect with him on LinkedIn.

The Angular Mini-Book The Angular Mini-Book is a guide to getting started with Angular. You'll learn how to develop a bare-bones application, test it, and deploy it. Then you'll move on to adding Bootstrap, Angular Material, continuous integration, and authentication.

Spring Boot is a popular framework for building REST APIs. You'll learn how to integrate Angular with Spring Boot and use security best practices like HTTPS and a content security policy.

For book updates, follow @angular_book on Twitter.

The JHipster Mini-Book The JHipster Mini-Book is a guide to getting started with hip technologies today: Angular, Bootstrap, and Spring Boot. All of these frameworks are wrapped up in an easy-to-use project called JHipster.

This book shows you how to build an app with JHipster, and guides you through the plethora of tools, techniques and options you can use. Furthermore, it explains the UI and API building blocks so you understand the underpinnings of your great application.

For book updates, follow @jhipster-book on Twitter.

10+ YEARS


Over 10 years ago, I wrote my first blog post. Since then, I've authored books, had kids, traveled the world, found Trish and blogged about it all.

RECENT ENTRIES


Tag Cloud


abbie appfuse birthday denver family grails gwt jack java javascript jsf linkedin maven montana roller skiing softwaresummit spring springmvc struts2 travel trish vacation webframeworks wicket
« Symlinking now works... | Main | Day 2 of Writing:... »
Wednesday December 04, 2002

JAAS vs. Container-Managed Security

I'm digging into JAAS this afternoon as I enjoy the vacancy of the Winter Break at DU's Penrose Library. Man, what a great school - I used to love it when we'd get off 6 weeks for Christmas Break - from Thanksgiving through January - how sweet is that!?

The reason I'm writing on this cold (32°F) afternon is to get some thoughts on JAAS in web applications. I'm giving it about a paragraph of coverage, explaining that it's mainly for declaring authentication and authorization in policy files. Furthermore, it's only invoked when running your application (or Tomcat) with a security manager. However, it's not really needed in web applications because 1) container-managed/web.xml is good enough, and 2) authentication mechanisms never really need to be that fine-grained. Whaddya think? Am I wrong, does it deserve more coverage? Don't most app servers use JAAS under the covers?

Posted in General at Dec 04 2002, 10:19:06 AM MST 8 Comments
Comments:

Matt, I think you are underestimating the value of JAAS a fair bit. Suppose you want to authenticate your users against a database table of users/passwords. Without JAAS this is container-specific (sure it works nice in Tomcat, but would you be able to do FORM authentication in WebSphere easily?). We use JAAS in the big application I'm developing and it gives us the freedom to more easily port our application to other containers. What if your application needed to authenticate users (suppose for a portal, not that far fetched, eh?) where each "portlet" had a different authentication scheme: LDAP, Windows NT, database, etc. JAAS is the way to go.

Posted by Erik Hatcher on December 04, 2002 at 04:00 PM MST #

Hmmm, it sounds like I owe JAAS more than a simple paragraph or two then. Now I just need to 1) dig up some good references/examples and 2) make it look easy to implement. This article makes it look like a lot more coding than <em>declaring</em>. Do you know of any simple examples that interface with LDAP or a database?

Posted by Matt Raible on December 04, 2002 at 06:44 PM MST #

Sun has an interesting angle on JAAS in the Sun ONE Appserver. Listed as one of their realms: <code>Customizable realms -- You can build realms for other databases, such as Oracle, to suit your specific needs by using JAAS [Java Authentication and Authorization Service] login modules. Refer to the sample realm in Sun ONE Application Server 7 as a template.</code>

Posted by Matt Raible on December 04, 2002 at 06:56 PM MST #

I found some more goodies: All that JAAS - a JavaWorld article using MySQL. JAASRealm in Tomcat - seemingly undocumented but implemented in 4.1.x. Unfortunately, it's got a hard-coded authenticate method that doesn't make a good example in my eyes.

Posted by Matt Raible on December 04, 2002 at 07:12 PM MST #

Matt, I have experienced some problems in our project, when we tried to tie role-based security to a menu. Just making only those links in the menu available that you are allowed to follow turned out to be a nightmare. An example for this would be helpful, if Struts offers some support for this common-place feature.

Posted by F. Degenaar on December 06, 2002 at 01:15 AM MST #

Have you seen the Struts Menu that I recently posted? This might help you.

Posted by Matt on December 09, 2002 at 07:56 AM MST #

Thanks Matt, That helped a lot. Alas, I am not allowed to publish my implementation of PermissionsAdapter. Best regards Fokko

Posted by F. Degenaar on December 12, 2002 at 11:47 PM MST #

hi,

I want to use jaas with my struts application in sunone 6.1. Can anyone help me with any sample source code? Does sunone 6.1 support jaas?

Thank you

Posted by tushar on January 31, 2006 at 06:15 AM MST #

Post a Comment:
  • HTML Syntax: Allowed