aspose file tools*
The moose likes Architect Certification (SCEA/OCMJEA) and the fly likes SCEA security: does JAAS handle system users and applicaiton users Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Architect Certification (SCEA/OCMJEA)
Bookmark "SCEA security: does JAAS handle system users and applicaiton users" Watch "SCEA security: does JAAS handle system users and applicaiton users" New topic
Author

SCEA security: does JAAS handle system users and applicaiton users

ray livia
Greenhorn

Joined: Aug 04, 2007
Posts: 16
For security topic, I am quite confused on followings:
1. Login mechanisms specified by the J2EE platform (HTTP basic authentication, SSL authentication, or form-based login)
2. JAAS approaches
3. Customized login and authoriazation application modules

My quesitons are:
1. Does JAAS support both 1 and 3?

2. Is it correct always: There are two kinds of users in an application: J2EE system users and application users. System users are created as users in the J2EE platform, using vendor-specific tools. Application users are represented and managed by application code.

3. What are different of JAAS and Customized login and authoriazation application modules for applicaiton users?
ray livia
Greenhorn

Joined: Aug 04, 2007
Posts: 16
Any reply? Is there any wrong in my question?
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
The Java Authentication and Authorization Service API is part of the Java Enterprise Edition. It is used to create custom login modules and custom authorization modules for applications.
ray livia
Greenhorn

Joined: Aug 04, 2007
Posts: 16
Thanks, James,

But I still has some question: is JAAS and container declarative security (role and permission) somehow overlapped? e.g. in user identity check.
Gabriel Belingueres
Ranch Hand

Joined: Feb 09, 2007
Posts: 34
Hi,
In fact, JAAS is part of Java SE, and by extension, part of J2EE too.
Farbod H Foomany
Ranch Hand

Joined: Feb 29, 2008
Posts: 63
Hi Ray,
I think your questions are valid and the answers are not obvious at all.
JAAS is primarily for J2SE. Look at J2EE Tutorial by Sun. They talk about declarative security in it and serveletFilters but not JAAS.
I am sure you know that JAAS is useful when you want to develop your own login module or callback handler, like when you want to implement a voice recognition system for your application. Many of known methods such as authentication by Kerberos and certificates are already implemented.

but back to your question. Read this:
http://rejeev.blogspot.com/2008/04/j2ee-security-and-jaas.html

I know that for example in the context of oracle implementation of J2EE they call it JAAS (previously JAZN) when they pass the information to the \j_security_check (j_username, j_password). I can assume that this is an implementation of LoginModule. see this also (just the first few paragraphs)
http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm

But I don't know when you are using .isUserInRole("rolename") or .getUserPrincipal().getName() you are definitely using JAAS or not.

Regards
Farbod
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: SCEA security: does JAAS handle system users and applicaiton users