I have a requirement where in I have an application client as well as web client for my ejb application.
Coming to talk of secuity ---- I would like to confirm if my understanding is right.
Let us say that
I implement security in my java swing based application using the JAAS. I implement security for my web tier using the container managed security in web.xml; I implement security for my ejb tier using the container managed security in ejb-jar.xml;
I have the option to implement for my web and ejb tier to go for programmatic based implementation...however, since what the container provides is sufficient, i have chosen the same.
In swing based client applications by using JAAS --- we have the flexibilty to incorporate standard security mechanisms like Solaris NIS (Network Information Services), Windows NT, LDAP (lightweight access directory protocol), Kerberos, and others into our application in a consistent, configurable way;
In web tier / ejb tier if we had not gone by container managed declarative security then we would have had to go for managing the security programmatically. Is that also based on JAAS??? If not ...why is JAAS not used there?