aspose file tools*
The moose likes Security and the fly likes JAAS risks Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "JAAS risks" Watch "JAAS risks" New topic
Author

JAAS risks

Surasak Leenapongpanit
Ranch Hand

Joined: May 10, 2002
Posts: 341
Hi,
Can anybody list out the risks associated with using jaas?
Thanks.
Pankaj Kr
Author
Ranch Hand

Joined: Sep 09, 2003
Posts: 80
It is not clear whether you are asking for risks associated with (i) writing a LoginModule as per JAAS specification; (ii) using a JAAS based Login Module for an Authentication Server; or (iii)the JAAS mechanism of specifying specific authorizations in a policy file. As with any project, uses of any of these include risks.
One thing that I would like to mention is that JAAS based authentication becomes fairly complicated in a client-server environment. (No wonder that Web Apps and EJB Apps do not use it directly -- most of it is hidden by the respective containers).
The file based policy specification also has admin. and auditing problems -- but this is not an inherent limitation of JAAS. JAAS allows pluggable implementation of policy database and corresponding provider. For a production envrionment, one should use a good provider.


Pankaj Kumar
Home - WebLog - J2EE Security
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JAAS risks
 
Similar Threads
Security frameworks for application frameworks
Assumptions or Design decisions
user maintenance
command line parameter
PMGR6020E: Error connecting to adapter for Oracle