• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JAAS has me confused!

 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey all,

I'm working on a client-server project, using RMI to communicate between each side. I was thinking about using JAAS to authenticate and authorize my clients on the server. I can't seem to find any examples that make sense to me. I'm looking to log users in and load the corresponding user's permissions. These permissions should tell the server what methods the client can and cannot execute. These methods will be modifying data structures (adding, deleting, modifying elements). I'm pretty confused how to fit all the pieces together. Does anybody have any suggestions, tutorials, example codes, etc. that might be useful?

To be more clear about my requirements, I'm planning on having a forum structure (and other features) that certain users should be able to create, edit, or delete posts based on their permissions. Would it be better to handle these permissions outside of JAAS, in the forum classes? And in this case, would user authentication be better suited for a home-brew method, instead of using JAAS?

Thanks in advance!
Richard
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, JAAS is rather complex. The SecurityFaq has links to several introductions, including a two-part article published in the JavaRanch Journal that has some simple code examples.

I've always shied away from using JASS for authorization (and thus, for anything), opting instead for self-implemented solutions that check which methods and classes should be accessible according to the client's privileges.
 
Richard Reavis
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:I've always shied away from using JASS for authorization (and thus, for anything), opting instead for self-implemented solutions that check which methods and classes should be accessible according to the client's privileges.



Sounds like a plan to me. I'm under the impression (correct me if I'm wrong) that you need to create a class for each permission? I'd be making a lot of permissions at that rate.
I took a look at the "Authentication using JAAS" article, and I'm still a bit confused. How do you use callbacks to exchange login credentials? Especially with RMI (which I have not had a chance to use yet), how do you exchange this data? Also, within what method should you load in user data (usernames, passwords, etc.)?

Thanks for all the help!
Richard
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Richard Reavis wrote:I'm under the impression (correct me if I'm wrong) that you need to create a class for each permission?


That's not what I meant. There wouldn't be any extra classes; the permissions a user has would be represented by data that's stored in the user repository, something like "boolean isAdmin", "boolean readOnlyAccess" etc. and then your code would check these before a particular operation is carried out. I find it beneficial to have these checks close to the code that they govern, instead of having JAAS perform those checks and throwing permissions if there are violations.

How do you use callbacks to exchange login credentials? Especially with RMI (which I have not had a chance to use yet), how do you exchange this data? Also, within what method should you load in user data (usernames, passwords, etc.)?


I don't know how RMI might interact with JAAS, service propagation may be needed. My impression is that JAAS is used even less for apps with remote Java clients than for server-based apps, partly because of these problems.
 
Richard Reavis
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So in your opinion, is JAAS necessary or desired in this situation?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Neccessary? No. But then, I've yet to encounter a scenario where I considered it necessary, so take that with a grain of salt.

Desirable? Hard to say. It comes down to declarative security vs. programmatic security. I generally prefer the latter, having found that declarative security solutions often aren't flexible enough to do the things that need doing. But YMMV.
 
Richard Reavis
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think I'm going to ditch JAAS for the time being. Thanks for all your help Ulf!
 
Every snowflake is perfect and unique. And every snowflake contains a very tiny ad.
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic