wood burning stoves*
The moose likes Security and the fly likes Excluding existing code from custom JAAS login module Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Excluding existing code from custom JAAS login module" Watch "Excluding existing code from custom JAAS login module" New topic
Author

Excluding existing code from custom JAAS login module

Taariq San
Ranch Hand

Joined: Nov 20, 2007
Posts: 192
Inside the web tier of our application, I want to put some web services using a custom login module.
The rest of this application must be totally unaffected and continue to run as is.

I can configure oracle app server to use this custom login module for a given application, but once it does that our swing client fails to connect via RMI even though I've granted the user it connects as permissions to do so. Now this is something I can debug and look at, though I have to wonder if it isn't possible to make the login module mandatory for the web services code but optional for everything else. Is it?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41599
    
  55
WS are typically secured using the facilities of the WS-Security standard (which provides authentication, signing and encryption). What would JAAS add to that?


Ping & DNS - my free Android networking tools app
Taariq San
Ranch Hand

Joined: Nov 20, 2007
Posts: 192
Originally posted by Ulf Dittmer:
WS are typically secured using the facilities of the WS-Security standard (which provides authentication, signing and encryption). What would JAAS add to that?


I'm using UsernameToken from WS-Security, JAAS autenticates that username and password using our existing authentication code. The app server gets back a happy boolean and allows the web service to be executed. That web service gets the Subject and uses the stored credentials to authorise the execution of the transaction, auditing etc all happens as per normal, against the JAAS authenticated user.
The client wants WS in this month, and we don't have the time or resources to fully utilize the WS standards. The existing authentication/authorization module goes back ages and does all sorts of custom stuff that will 1 or 2 ages to replace.
Taariq San
Ranch Hand

Joined: Nov 20, 2007
Posts: 192
Now that I've written almost everything else but this I want to come back to it, hopefully someone's more helpful than google so far.
Sure Google knows almost everything, you just have to know how to ask.

Looking at this article I see I need a policy and a conf file, I only have the conf file.
Now I'm trying to define the config policy's contents.

Lets say my web services are in package com.javaranch.ws and the rest of my code in various com.javaranch packages, can I even require the custom login module for certain packages as opposed to applications?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Excluding existing code from custom JAAS login module