Hey all. I am just wondering about the importance of JAAS. when to use JAAS ? EJB and servlet architecture has already to types of security : declerative and programmatic. if we have already these approaches, why to use JAAS ?
Joined: Nov 22, 2001
Well it depends on your Architecture.Suppose you are using EJB.Then we don't need use JAAS,as we can use EJB security
Actually JAAS can be used as authentication technology for servlets. One important feature of JAAS is pure Java implementation. The JAAS infrastructure is divided into two main components: an authentication component and an authorization component. The JAAS authentication component provides the ability to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet.
It's totally depends on Architecture to Architecture.I don't know much about JAAS,I have just done through this Article
Hope above helps !! [ September 03, 2004: Message edited by: james edwin ]
JAAS is intended as a plugable authentication service. Sun's intention (in the J2EE world anyway) is that security can become seperate from vendor specific code as much as possible. Instead of defining a lot of security stuff in the container's security - which can be quite involved, and possibly will affect other applications deployed in the same container - they want you to define a LoginModule which you can deploy as part of your application so everything your application needs including security is all in one EAR.
JAAS can be very useful for wrapping odd, legacy security mechanism. It can also be useful using programatic security when you find declarative security works fopr most cases, except for the odd exceptional case.
However, how well this is implemented varies across vendors. For example WebSphere in particular is a big problem - since you can't yet (in 5.1) use a LoginModule as the primary (or only) authentication mechanism with web apps using form based authentication. You still have to use a Custom User Registry. WebSphere also implements its own versions of some of the key classes involed in JAAS (WSSubject and WSCredentials) which dilutes the standard.