File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Why JAAS ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Why JAAS ?" Watch "Why JAAS ?" New topic

Why JAAS ?

Hussein Baghdadi
clojure forum advocate

Joined: Nov 08, 2003
Posts: 3479

Hey all.
I am just wondering about the importance of JAAS.
when to use JAAS ?
EJB and servlet architecture has already to types of security :
declerative and programmatic.
if we have already these approaches, why to use JAAS ?
james edwin
Ranch Hand

Joined: Nov 22, 2001
Posts: 393
Well it depends on your Architecture.Suppose you are using EJB.Then we don't need use JAAS,as we can use EJB security

Actually JAAS can be used as authentication technology for servlets. One important feature of JAAS is pure Java implementation. The JAAS infrastructure is divided into two main components: an authentication component and an authorization component. The JAAS authentication component provides the ability to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet.

It's totally depends on Architecture to Architecture.I don't know much about JAAS,I have just done through this

Hope above helps !!
[ September 03, 2004: Message edited by: james edwin ]

Paul Sturrock

Joined: Apr 14, 2004
Posts: 10336

JAAS is intended as a plugable authentication service. Sun's intention (in the J2EE world anyway) is that security can become seperate from vendor specific code as much as possible. Instead of defining a lot of security stuff in the container's security - which can be quite involved, and possibly will affect other applications deployed in the same container - they want you to define a LoginModule which you can deploy as part of your application so everything your application needs including security is all in one EAR.

JAAS can be very useful for wrapping odd, legacy security mechanism. It can also be useful using programatic security when you find declarative security works fopr most cases, except for the odd exceptional case.

However, how well this is implemented varies across vendors. For example WebSphere in particular is a big problem - since you can't yet (in 5.1) use a LoginModule as the primary (or only) authentication mechanism with web apps using form based authentication. You still have to use a Custom User Registry. WebSphere also implements its own versions of some of the key classes involed in JAAS (WSSubject and WSCredentials) which dilutes the standard.

JavaRanch FAQ HowToAskQuestionsOnJavaRanch
I agree. Here's the link:
subject: Why JAAS ?
It's not a secret anymore!