This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Security and the fly likes JAAS:  Declarative or Programmatic Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "JAAS:  Declarative or Programmatic Security" Watch "JAAS:  Declarative or Programmatic Security" New topic

JAAS: Declarative or Programmatic Security

Chris Dempsey

Joined: Feb 24, 2004
Posts: 9
During a recent discussion about our project's security implementation a friend of mine and I got into a debate on whether JAAS was declarative security or programmatic. I contented that it was programmatic security since at some point your code under security must make a security check within the code. My pal said it was declarative because JAAS is configured by a policy file that was configurable outside of Java code.

What is the view of my fellow Ranchers?
Ionut Barau

Joined: Feb 18, 2008
Posts: 20
I've been trying to understand j2ee security/jass for a week now and still i can't keep the terms straight. I will share my opinion on your question, hoping someone will bring some light.

As far as i understood, declarative security (or container managed security) is handled by the container(DOH!). How it is handled it depends on container implementation.Websphere for example, uses jaas for authentication.The special servlet j_security_check verifies credentials with the help of jaas login modules.So even though you use declarative security, in websphere you are using jass indirectly.Websphere authentication

Programmatic security can be of 2 flavors:

1.Using the request object methods:isUserInRole, getRemoteUser

2.Using jaas login modules

If someone has a different opinion please share some light.

I agree. Here's the link:
subject: JAAS: Declarative or Programmatic Security
Similar Threads
mock question on security
Servlets and Security - Q
need help,2 questions
Custom Authentication
Passed SCEA part 2/3