Matt RaibleMatt Raible is a Java Champion and Developer Advocate at Okta.

The Angular Mini-Book The Angular Mini-Book is a guide to getting started with Angular. You'll learn how to develop a bare-bones application, test it, and deploy it. Then you'll move on to adding Bootstrap, Angular Material, continuous integration, and authentication.

Spring Boot is a popular framework for building REST APIs. You'll learn how to integrate Angular with Spring Boot and use security best practices like HTTPS and a content security policy.

For book updates, follow @angular_book on Twitter.

The JHipster Mini-Book The JHipster Mini-Book is a guide to getting started with hip technologies today: Angular, Bootstrap, and Spring Boot. All of these frameworks are wrapped up in an easy-to-use project called JHipster.

This book shows you how to build an app with JHipster, and guides you through the plethora of tools, techniques and options you can use. Furthermore, it explains the UI and API building blocks so you understand the underpinnings of your great application.

For book updates, follow @jhipster-book on Twitter.


Over 10 years ago, I wrote my first blog post. Since then, I've authored books, had kids, traveled the world, found Trish and blogged about it all.

Using JAAS with Tomcat

Want to use JAAS with Tomcat? If so, you might want to checkout this Using Tomcat with JAAS tutorial.

Although it is possible to use JAAS within Tomcat as an authentication mechanism (JAASRealm), the flexibility of the JAAS framework is lost once the user is authenticated. This is because the principals are used to denote the concepts of "user" and "role", and are no longer available in the security context in which the webapp is executed. The result of the authentication is available only through request.getRemoteUser() and request.isUserInRole().

This reduces the JAAS framework for authorization purposes to a simple user/role system that loses its connection with the Java Security Policy. This tutorial's purpose is to put a full-blown JAAS authorisation implementation in place, using a few tricks to deal with some of Tomcat's idiosyncrasies.

Personally, request.isUserInRole() usually does everything I need. If I need something more than that, it's usually pretty easy to add some custom logic. Of course, if I ever need anything super robust, I'll probably use the Acegi Security System for Spring.

Posted in Java at Jun 03 2004, 10:30:27 AM MDT 3 Comments

In a previous life I put an effort into JAAS-ing Expresso. The JAAS complexity increases dramatically when you want to use JAAS for authorisation purposes (<code>Subjec.doAs()</code>), especially data-level authorisation based on associated role (relation to object). Expresso offers this, and we needed it at work, but in the end I gave up. I recently came across an article on the IBM site that explains how to do just that, but it doesn't look nice. One of our architects is currently looking into redesigning our security framework around JAAS, but even on WebSphere 5.1 support for JAAS is, ahum, poor ;)

I'll check out the Acegi system to see if it is interesting.

Posted by Jaap on June 03, 2004 at 12:35 PM MDT #

That was rather prescient Matt - that tutorial is exactly what I need for what I'm working on at the moment! JAAS is cool, but there are annoying factors:

  • Your LoginModules need to be in the boot class path - so you need your own jvm, no more using a host that only gives you a shared servlet engine
  • Overriding the standard Policy implementation is a bit of an arse. It's defined by a flat text file, so if you want to dole-out permissions to specific users based on information contained in your db - you need to create your own Policy implementation, and let it defer the boring stuff to the Sun policy implementation...


Posted by Roberto on June 04, 2004 at 04:23 AM MDT #

hi matt, i've released the first version(v0.50) of a security library on top of jaas for j2ee webapps. it is called jGuard( it hide the jaas complexity, and can be used on different application servers. with it, you can manage authentication and authorizations with a database(LDAP is planned). changes can be made "on the fly". charles.

Posted by diabolo512 on June 10, 2004 at 12:14 AM MDT #

Post a Comment:
Comments are closed for this entry.