Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JAAS vs Container Managed Security

 
James Ellis
Ranch Hand
Posts: 205
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What is the relationship between a servlet container's use of Container Managed Security and JAAS (if any)? For instance if I am coding security around several servlets, I'd just set up all the protected resources in web.xml and configure my users, passwords and roles in a database (assuming JDBCRealm).

So does JAAS have anything to do with this or is it mostly only used from heavy clients (like Swing) and not from web applications?

Thanks,
Jim
 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE Java MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tomcat authentication/authorization model is not made on JAAS. It is a simple role based access control model.
The authentication is pluggable through the means of Realms. Authorization is specific to roles retrieved during authentication and checking the access based on it.

JAAS on the other hand defines authentication based on pluggable login modules(similar to tomcat) and the authroization is based on a policy file. This may be used to define role based access control, source code based control(classes in one jar file is allowed to do something and classes in another jar file is not), etc.

Infact, there is a facility to use a JAASRealm with tomcat but the relationship ends after authentication. Tomcat uses its own authorization process.
[ July 01, 2008: Message edited by: Nitesh Kant ]
 
aldrin d'souza
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
the web.xml specifies the developers view of the security constraints which apply to the application. the container is free to implement them in whichever way it sees best. some, like websphere, use jaas internally to implement these security constraints. if all you care for is that the security guarantees in your web.xml are met, you need not bother about jaas.

however, if your container does not provide the security guarantees you need, say some fancy single-sign-on you may need to deal with jaas. for example see http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/com.ibm.websphere.express.doc/info/exp/ae/tsec_jaasauthentprog.html
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic