my dog learned polymorphism
The moose likes Security and the fly likes JAAS risks Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "JAAS risks" Watch "JAAS risks" New topic

JAAS risks

Surasak Leenapongpanit
Ranch Hand

Joined: May 10, 2002
Posts: 341
Can anybody list out the risks associated with using jaas?
Pankaj Kr
Ranch Hand

Joined: Sep 09, 2003
Posts: 80
It is not clear whether you are asking for risks associated with (i) writing a LoginModule as per JAAS specification; (ii) using a JAAS based Login Module for an Authentication Server; or (iii)the JAAS mechanism of specifying specific authorizations in a policy file. As with any project, uses of any of these include risks.
One thing that I would like to mention is that JAAS based authentication becomes fairly complicated in a client-server environment. (No wonder that Web Apps and EJB Apps do not use it directly -- most of it is hidden by the respective containers).
The file based policy specification also has admin. and auditing problems -- but this is not an inherent limitation of JAAS. JAAS allows pluggable implementation of policy database and corresponding provider. For a production envrionment, one should use a good provider.

Pankaj Kumar
Home - WebLog - J2EE Security
It is sorta covered in the JavaRanch Style Guide.
subject: JAAS risks
It's not a secret anymore!