I have a doubt on the security features provided by WEBLOGIC or WEBSPHERE .I am new to it so correct if iam wrong. My doubt is that security features like HttpDigest authentiaction ,Method level user authorization based role ,etc. is provided by application servers like WEBLOGIC or WEBSPHERE then in such case can we ignore security framework like ACEGI or JASS?? or how does these secuirty features differ from the one provided by APPlication server
I do not know about ACEGI , but JAAS is java implementation of PAM (Pluggable Authentication Module) and apart from authentication ,it has feature to Authorization too.
Other kinds of authentication (DIGEST,FORM etc) that you are talking about comes from the servlet specification.As weblogic and websphere are application server , so they have to provide implementation of these declarative J2EE security features aslo.
You can design a application only with the help of J2EE authentication and authorization and without going for JAAS.
HTTP/servlet authentication obviously is only usuable in web apps, so if the application is accessed via other means then the app server still needs to provide authentication services - JAAS can do that (Acegi, too, but it is specifically geared towards web apps).
And even if HTTP authentication is used, it stops at telling you which user you're serving, and which roles that user is in. It does nothing to enforce authorization rules about which user can access which functionality - you'd be relying on the application code to check that. Here, too, JAAS can help.
is only usuable in web apps - what does it mean i didnt get it.. can you please tell me what are the other ways application can be invoked
Joined: Mar 22, 2005
Other clients might be a Swing application, or a web service. In those cases, HTTP authentication is not available, but you still need to do authentication and authorization. [ June 25, 2007: Message edited by: Ulf Dittmer ]
Joined: Nov 29, 2005
Originally posted by prem shakthi: is only usuable in web apps - what does it mean i didnt get it..
As HTTP authentication is part of servlet specification and are implemented by web containers so you can use it only within web containers.Will not be usable for standalone programs.
Going ahead ; JAAS do not have any such dependency , it can be used to do a wide variety to authentications.Even it can be used to authenticate a system , which is trying to communicate with some other system.Where no actual user is involved.