I'm working on a client-server project, using RMI to communicate between each side. I was thinking about using JAAS to authenticate and authorize my clients on the server. I can't seem to find any examples that make sense to me. I'm looking to log users in and load the corresponding user's permissions. These permissions should tell the server what methods the client can and cannot execute. These methods will be modifying data structures (adding, deleting, modifying elements). I'm pretty confused how to fit all the pieces together. Does anybody have any suggestions, tutorials, example codes, etc. that might be useful?
To be more clear about my requirements, I'm planning on having a forum structure (and other features) that certain users should be able to create, edit, or delete posts based on their permissions. Would it be better to handle these permissions outside of JAAS, in the forum classes? And in this case, would user authentication be better suited for a home-brew method, instead of using JAAS?
Thanks in advance!
Richard
This message was edited 2 times. Last update was at by Richard Reavis
Yes, JAAS is rather complex. The SecurityFaq has links to several introductions, including a two-part article published in the JavaRanch Journal that has some simple code examples.
I've always shied away from using JASS for authorization (and thus, for anything), opting instead for self-implemented solutions that check which methods and classes should be accessible according to the client's privileges.
Ulf Dittmer wrote:I've always shied away from using JASS for authorization (and thus, for anything), opting instead for self-implemented solutions that check which methods and classes should be accessible according to the client's privileges.
Sounds like a plan to me. I'm under the impression (correct me if I'm wrong) that you need to create a class for each permission? I'd be making a lot of permissions at that rate. I took a look at the "Authentication using JAAS" article, and I'm still a bit confused. How do you use callbacks to exchange login credentials? Especially with RMI (which I have not had a chance to use yet), how do you exchange this data? Also, within what method should you load in user data (usernames, passwords, etc.)?
Richard Reavis wrote:I'm under the impression (correct me if I'm wrong) that you need to create a class for each permission?
That's not what I meant. There wouldn't be any extra classes; the permissions a user has would be represented by data that's stored in the user repository, something like "boolean isAdmin", "boolean readOnlyAccess" etc. and then your code would check these before a particular operation is carried out. I find it beneficial to have these checks close to the code that they govern, instead of having JAAS perform those checks and throwing permissions if there are violations.
How do you use callbacks to exchange login credentials? Especially with RMI (which I have not had a chance to use yet), how do you exchange this data? Also, within what method should you load in user data (usernames, passwords, etc.)?
I don't know how RMI might interact with JAAS, service propagation may be needed. My impression is that JAAS is used even less for apps with remote Java clients than for server-based apps, partly because of these problems.
Neccessary? No. But then, I've yet to encounter a scenario where I considered it necessary, so take that with a grain of salt.
Desirable? Hard to say. It comes down to declarative security vs. programmatic security. I generally prefer the latter, having found that declarative security solutions often aren't flexible enough to do the things that need doing. But YMMV.
![[Logo]](/templates/default/images/moosefly.gif)
![[Post New]](/templates/default/images/icon_minipost_new.gif){kind=icon}
![[Up]](/templates/default/images/icon_up.gif){kind=icon}
