I'm a java developer, and I'm used to developing web applications.
Recently I've took a closer look at JAAS, and since some time ago when I last looked into it, I still have many questions around it.
This is one subject that, no matter how many tutorials I read, there is something about it that does not compute in my head.
You know that feeling that there is just some -click- that must happen before everything clears up in the brain? I think I need something like that.
The thing is: JAAS is around for quite some time. The way I see it, when I configure the roles and authentication mechanisms in a Web Application Server, I'm using JAAS behind, even without knowing how it glues stuff together.
I can define the authentication type in application server, then I define the roles in my web application, and then on deployment, I can map them together, or I can have a specific deployment file for a specific application server that helps automating the task.
I normally define a Form Based Login, then create a custom form with j_security_check ...
But then again, the JAAS defines some config files like:
Does the application server does it behind?
Recently I've came across a software that I can install on an application server, Bonita Open Solution. Somewhere in the installation manual, I find something like:
- Copy the bonita.ear file into your JEE server deployment directory (e.g., jboss/server/default/deploy)
- Add BonitaAuth and BonitaStore login modules to the JAAS configuration for your JEE server:
o org.ow2.bonita.identity.auth.BonitaRemoteLoginModule (must be stacked with your JEE JAAS propagation login module)
o edit jboss/server/default/conf/login-config.xml to add:
Hi, the login configuration file mentioned first is the syntax required by the default Configuration implementation provided by JRE. But it can be overridden with a custom Configuration subclass to use any format. JBoss is using XML format. It's only for authentication, not authorization.
I remember reading somewhere that JBoss uses only the JAAS authentication concepts, but implements its own authorization concepts, i.e., it doesn't use the familiar 'grant permission...' '.security' files.