File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes EJB and other Java EE Technologies and the fly likes J2EE Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "J2EE Security" Watch "J2EE Security" New topic

J2EE Security

Rachel Swailes
Ranch Hand

Joined: May 18, 2004
Posts: 434
Hi there.

I am busy working on the security for the tapestry web application we are building.

As it started out really small we built in a login module and a way of moving the active user account throughout the system using the session without a specific security framework. Now that it is getting larger we are looking at alternatives like J2EE with JAAS or AceGI.

Over the past few days I've been doing a lot of reading on the topic and I am not sure as to why we would need to implement something along these lines if we already have a way of authenticating the user and the application will never be interfacing with third party j2ee applications.

Is there some wow factor item in J2EE Security that I have overlooked?

Many thanks,
Roger Chung-Wee
Ranch Hand

Joined: Sep 29, 2002
Posts: 1683
As your app will run in a servlet container, are you doing your authentication by basic, form, digest or SSL and client certificate?

SCJP 1.4, SCWCD 1.3, SCBCD 1.3
Rachel Swailes
Ranch Hand

Joined: May 18, 2004
Posts: 434
I am not sure strictly which category this falls into.

When the user logs on we authenticate them against the database and store the user in tapestry's visit object.

The other reason we are looking into these technologies as the time has come to implement roles and permissions. If J2EE or some such framework is going to make this very simple for us and provide an easy way to set up roles and permissions from inside the web application, then it would be usefull to us to implement user authentication as sepcified by the j2ee framework.

With j2ee is it possible to specify user roles and permissions from inside the web application?

Many thanks.
[ March 30, 2006: Message edited by: Rachel Swailes ]
Mattias Arthursson
Ranch Hand

Joined: Jul 26, 2004
Posts: 90
To my experience, standard J2EE security is vastly insufficient for anything but the very simplest of tasks. Once the requirements become even the sightest bit tricky you end up coding the logic yourself.

When it comes to defining roles and permissions that will pretty much always be implementation dependent - I'm guessing you will want to be able to store your users in the same way you're doing now. That means that you'll still need to write the code to modify users and roles yourself (that's typically not part of the security framework, even though some application servers have their own proprietary API for doing it).

I'd go with Acegi; it's a very robust and flexible framework.

Admit nothing. Blame everyone. Be bitter.
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
If you already have web app authentication, then you can add roles quite easily. As long as you have access to the HttpServletRequest objects, you can use its getRemoteUser, getUserPrincipal, getAuthType and isUserInRole methods to access role information about the user.
Permissions are not part of web app security, though. If using JAAS seems daunting, consider something like JGuard to take the pain out of it.
Rachel Swailes
Ranch Hand

Joined: May 18, 2004
Posts: 434
Hi guys.

Thanks for the advice. I'm going to check out JGuard to see what it can do for me.

I agree. Here's the link:
subject: J2EE Security
It's not a secret anymore!