File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes JAAS vs Container Managed Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "JAAS vs Container Managed Security" Watch "JAAS vs Container Managed Security" New topic

JAAS vs Container Managed Security

James Ellis
Ranch Hand

Joined: Oct 14, 2004
Posts: 205
What is the relationship between a servlet container's use of Container Managed Security and JAAS (if any)? For instance if I am coding security around several servlets, I'd just set up all the protected resources in web.xml and configure my users, passwords and roles in a database (assuming JDBCRealm).

So does JAAS have anything to do with this or is it mostly only used from heavy clients (like Swing) and not from web applications?

Nitesh Kant

Joined: Feb 25, 2007
Posts: 1638

Tomcat authentication/authorization model is not made on JAAS. It is a simple role based access control model.
The authentication is pluggable through the means of Realms. Authorization is specific to roles retrieved during authentication and checking the access based on it.

JAAS on the other hand defines authentication based on pluggable login modules(similar to tomcat) and the authroization is based on a policy file. This may be used to define role based access control, source code based control(classes in one jar file is allowed to do something and classes in another jar file is not), etc.

Infact, there is a facility to use a JAASRealm with tomcat but the relationship ends after authentication. Tomcat uses its own authorization process.
[ July 01, 2008: Message edited by: Nitesh Kant ]

apigee, a better way to API!
aldrin d'souza

Joined: Jul 03, 2008
Posts: 4
the web.xml specifies the developers view of the security constraints which apply to the application. the container is free to implement them in whichever way it sees best. some, like websphere, use jaas internally to implement these security constraints. if all you care for is that the security guarantees in your web.xml are met, you need not bother about jaas.

however, if your container does not provide the security guarantees you need, say some fancy single-sign-on you may need to deal with jaas. for example see
I agree. Here's the link:
subject: JAAS vs Container Managed Security
It's not a secret anymore!