aspose file tools*
The moose likes Security and the fly likes Authorization Using Application  server Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Authorization Using Application  server" Watch "Authorization Using Application  server" New topic
Author

Authorization Using Application server

jeff rusty
Ranch Hand

Joined: Nov 07, 2006
Posts: 109
Hi,

I have a doubt on the security features provided by WEBLOGIC or WEBSPHERE .I am new to it so correct if iam wrong.
My doubt is that security features like HttpDigest authentiaction ,Method level user authorization based role ,etc. is provided by application servers like WEBLOGIC or WEBSPHERE then in such case can we ignore security framework like ACEGI or JASS?? or how does these secuirty features differ from the one provided by APPlication server
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2308
I do not know about ACEGI , but JAAS is java implementation of PAM (Pluggable Authentication Module) and apart from authentication ,it has feature to Authorization too.

Other kinds of authentication (DIGEST,FORM etc) that you are talking about comes from the servlet specification.As weblogic and websphere are application server , so they have to provide implementation of these declarative J2EE security features aslo.

You can design a application only with the help of J2EE authentication and authorization and without going for JAAS.


Rahul Bhattacharjee
LinkedIn - Blog
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39535
    
  27
HTTP/servlet authentication obviously is only usuable in web apps, so if the application is accessed via other means then the app server still needs to provide authentication services - JAAS can do that (Acegi, too, but it is specifically geared towards web apps).

And even if HTTP authentication is used, it stops at telling you which user you're serving, and which roles that user is in. It does nothing to enforce authorization rules about which user can access which functionality - you'd be relying on the application code to check that. Here, too, JAAS can help.


Ping & DNS - updated with new look and Ping home screen widget
jeff rusty
Ranch Hand

Joined: Nov 07, 2006
Posts: 109
is only usuable in web apps - what does it mean i didnt get it.. can you please tell me what are the other ways application can be invoked
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39535
    
  27
Other clients might be a Swing application, or a web service. In those cases, HTTP authentication is not available, but you still need to do authentication and authorization.
[ June 25, 2007: Message edited by: Ulf Dittmer ]
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2308
Originally posted by prem shakthi:
is only usuable in web apps - what does it mean i didnt get it..


As HTTP authentication is part of servlet specification and are implemented by web containers so you can use it only within web containers.Will not be usable for standalone programs.

Going ahead ; JAAS do not have any such dependency , it can be used to do a wide variety to authentications.Even it can be used to authenticate a system , which is trying to communicate with some other system.Where no actual user is involved.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Authorization Using Application server
 
Similar Threads
WebSphere Doubt
Elementary Doubt
Doubt
Doubt
Custom and generic JAAS module