Raible Designs

RE: J2EE App Server Security

Dion and Christian are talking about J2EE App Server Security. Specifically, they are talking about setting up standard container-managed security. J2EE allows you to specify security settings in your web.xml, but to make those work - you have to configure your app server. For Tomcat, this is pretty easy, and Resin makes it easy too. However, the XML you have to write for both is quite different and some app servers don't even let you write XML - instead you have to use their "admin console". Personally, I think most admin consoles are a pain in the ass. I'd prefer to write a single XML file to configure the server. Some servers require several files just to authenticate against a database.

AppFuse uses both container-managed authentication and a JNDI DataSource. This means you have to configure the appserver in order to run AppFuse. On many servers, this is difficult to do (or, they didn't pass my 10 minute test at least). I like servers where I can deploy a couple of JARs into a directory and a single XML file to configure the server. Tomcat and Resin come to mind.

After using Acegi for the last month, I think I'm going to ditch the "standard" J2EE security stuff. I managed to port AppFuse to use Acegi last month - and didn't have to change a single line of security-related code. The hardest parts of integrating Acegi where 1) figuring out how to build it from CVS (there's currently two src trees) and 2) excluding URLs. Once I got these two things solved, I had to add an "enabled" column to my user table, but that's about it. This is awesome b/c it means you can always port back to CMA with very few code changes.

I used to think that using the container's resources was a good thing, but I'm starting to change my mind. Spring allows you to configure a DataSource connection pool just like Tomcat does, so there's not as many benefits as there once was. Being able to drop a WAR into a directory and have your app work without configuring the server is a very nice thing. What do you think? Are there any advantages to using a container's services anymore? I suppose there is for distributed or clustered apps, but that's all I can think of.

Posted in Java at Jan 04 2005, 09:59:26 AM MST 17 Comments

Comments:

Single Sign-On? Tomcat lets you log into 1 webapp and then you're authenticated for all of the webapps running under that Tomcat instance. I assume this is a feature described in the J2EE spec. I have to admit that I don't know enough about Spring or Acegi to know whether this capability exists in them. In general though, I *do* agree with you. It's much more desirable to just drop a WAR file in (or deploy via Ant task).

The whole J2EE Realm architecture has a number of pretty big flaws. If you could just define a realm in the app's web.xml that would help a great deal.

Posted by kelzer on January 04, 2005 at 06:10 PM MST #

Single Sign-On is *not* part of the J2EE spec. The fact that enabling it in Tomcat requires the addition of a valve in server.xml is a good indication that it's some of Tomcat's special sauce. It's great under Tomcat, but it's not portable, and it's not standard.

Posted by Rob Kischuk on January 04, 2005 at 06:23 PM MST #

Single Sign-On can be accomplished without tying yourself to the container, probably accomplished better in a lot of cases since, like Rob points out, it is not part of the J2EE spec. Personally I never use container resources, it's just too much of a pain to deal with setting up when all of the logic can be neatly wrapped up in your distributable. The same goes for database connectivity. If you are releasing a product which is supposed to be user friendly then all of the configuration stuff should be able to be managed within and by the application itself without the need to futz around with the container.

Posted by Anthony Eden on January 04, 2005 at 06:46 PM MST #

I like to use Tomcat to manage my DB Connection. So I can use the same distributable (.war) on my dev/stage/live server without a single change of config stuff. It is once defined in Tomcat/conf for each server where it differs. This helps a lot for quick testing.

Posted by Karsten Voges on January 04, 2005 at 07:13 PM MST #

If the database properties are in an external file then you can just as easily have an two different ant tasks, one for build and one for deploy and have them include a different properties file as necessary.

Posted by Anthony Eden on January 04, 2005 at 07:26 PM MST #

Acegi integrates with Yale Central Authentication Service for Singlev Sign-On. I had a hassle with Container-Managed Authentication when I had to work with a legacy database with its own quirky table structures. Writing a Tomcat-specific realm implementation sets off the 'dependency alarm'. I've been looking at using Acegi, and AppFuse seems like a good example to get started with.

Posted by Kim Pepper on January 04, 2005 at 09:25 PM MST #

With JBoss you can include a file with your users and their passwords in your deployment archive, and it will be seen by the app, which is useful for certain kinds of "security."

Posted by John G. Norman on January 04, 2005 at 11:50 PM MST #

Ive just modified my application to use container managed authentication, so I can use tomcat's single sign on between my application, Roller Weblogger and JForum (www.jforum.net). JForum doesnt use J2EE Security, but all I had to do was make changes to one method to check the remoteUser() instead of a cookie.

Although doing this ties me to Tomcat for now, thats what I was planning to use anyway. I did have some problems where signing out of one app didnt sign them all out, so made some minor modifications and added some filters to the other applications that intercept the login/logout/register pages, and redirect to the appropriate page in my main application. This gives a consistant login/logout page which is good anyway.

Posted by Dan Campers on January 05, 2005 at 01:08 AM MST #

As Kim pointed out, Acegi Security integrates with CAS. We just didn't see the point in inventing our own single sign on (SSO) infrastructure when CAS was such a widely deployed, feature-rich, open-source approach. One benefit people sometimes don't notice with CAS (when comparing it to "container wide" SSO solutions) is it allows SSO across separate web servers, and even across separate web server software (eg it directly supports IIS and Apache, along with many others), and across client types (not just web servers, but also web services and rich clients such as Swing). Whilst I am fond of CAS, I should mention Acegi Security's provider model allows any number of pluggable providers to be used (including CAS, LDAP, JDBC, in-memory, DAO and JAAS), and new ones developed for other SSO solutions. There is a FAQ entry at http://acegisecurity.sourceforge.net/faq.html entitled "Why not just use web.xml security?". It might be of interest to some people, given this thread.

Posted by Ben Alex on January 05, 2005 at 09:19 AM MST #

I think that were J2EE security is going is to use JAAS for authentication and something based on XACML (and Sun's java.net project around it) for authorization. SSO could be via JSESSIONID cookie or via a SAML based system. Also check out the documentation on the WebLogic Security Framework to see a pretty good design for security MBeans.

Posted by Brian Repko on January 05, 2005 at 03:22 PM MST #

uhhh... sso in appfuse. thank you! no app server dependancies in that area. oh, hell yeah.

Posted by maybenull on January 07, 2005 at 03:44 PM MST #

So where can I find AppFuse 1.8? =D
I was developing a simle webapp last month, by studying AppFuse 1.7. I also started to use Acegi as my security suite - it's quite suitable for my app. But AppFuse (1.7 I mean) has its own security implementation, so I tried to integrate it by myself... (At that time I just couldn't realize that's a nice resource like this: AppFuseSecurity, Okay, lastly I was able to do so just for a simple login) </br> Now I know there's AppFuse 1.8, where can I get it? I'd like to know more about the integration, in particular, the cookie-automatic logon (aka 'remember me'). How to get this feature done? Oh, and one more question, which acegi version does AppFuse using? 1.6.1 or latest 1.7? Anyway, I believe the upgrading effort would not be so heavy.
And for SSO, I'd like to know if anyone using it for your webapps? Is CAS nice? =P

Posted by Hue on January 22, 2005 at 02:34 AM MST #

Hue - AppFuse 1.8 hasn't been released yet. I plan on releasing it next month. In the meantime, you could grab the latest AppFuse from CVS - it's pretty stable and includes Acegi Security as documented on the wiki.

Posted by Matt Raible on January 24, 2005 at 04:30 AM MST #

I moved appfuse 1.8.2 to CMA beacuse I have a josso SSO environment. Would you think about josso? tks all :)

Posted by Renato Eschini on September 26, 2005 at 08:18 AM MDT #

Anyone in the community conquered integrating XACML with ACEGI? Would love to see a blog from whomever figured it out...

Posted by James on August 10, 2006 at 04:24 PM MDT #

Hi, I'm developing the web application base on appfuse framework. I want to use Signle Sign On with CAS+Acegi . But I dont know how to config in appfuse application . Please help me to do that. Thanks, Dung Nguyen.

Posted by Dung Nguyen on January 09, 2007 at 01:19 PM MST #

Dung - AppFuse's security file is located at web/WEB-INF/security.xml. To integrate Acegi with CAS, see Acegi's CAS documentation.

Posted by Matt Raible on January 10, 2007 at 01:25 AM MST #

10+ YEARS

TWITTER

RECENT ENTRIES

Tag Cloud

RE: J2EE App Server Security