my dog learned polymorphism
The moose likes Security and the fly likes JAAS:  Declarative or Programmatic Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "JAAS:  Declarative or Programmatic Security" Watch "JAAS:  Declarative or Programmatic Security" New topic

JAAS: Declarative or Programmatic Security

Chris Dempsey

Joined: Feb 24, 2004
Posts: 9
During a recent discussion about our project's security implementation a friend of mine and I got into a debate on whether JAAS was declarative security or programmatic. I contented that it was programmatic security since at some point your code under security must make a security check within the code. My pal said it was declarative because JAAS is configured by a policy file that was configurable outside of Java code.

What is the view of my fellow Ranchers?
Ionut Barau

Joined: Feb 18, 2008
Posts: 25
I've been trying to understand j2ee security/jass for a week now and still i can't keep the terms straight. I will share my opinion on your question, hoping someone will bring some light.

As far as i understood, declarative security (or container managed security) is handled by the container(DOH!). How it is handled it depends on container implementation.Websphere for example, uses jaas for authentication.The special servlet j_security_check verifies credentials with the help of jaas login modules.So even though you use declarative security, in websphere you are using jass indirectly.Websphere authentication

Programmatic security can be of 2 flavors:

1.Using the request object methods:isUserInRole, getRemoteUser

2.Using jaas login modules

If someone has a different opinion please share some light.

With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
subject: JAAS: Declarative or Programmatic Security
It's not a secret anymore!