For security topic, I am quite confused on followings: 1. Login mechanisms specified by the J2EE platform (HTTP basic authentication, SSL authentication, or form-based login) 2. JAAS approaches 3. Customized login and authoriazation application modules
My quesitons are: 1. Does JAAS support both 1 and 3?
2. Is it correct always: There are two kinds of users in an application: J2EE system users and application users. System users are created as users in the J2EE platform, using vendor-specific tools. Application users are represented and managed by application code.
3. What are different of JAAS and Customized login and authoriazation application modules for applicaiton users?
Hi Ray, I think your questions are valid and the answers are not obvious at all. JAAS is primarily for J2SE. Look at J2EE Tutorial by Sun. They talk about declarative security in it and serveletFilters but not JAAS. I am sure you know that JAAS is useful when you want to develop your own login module or callback handler, like when you want to implement a voice recognition system for your application. Many of known methods such as authentication by Kerberos and certificates are already implemented.