Meaningless Drivel is fun!
The moose likes EJB and other Java EE Technologies and the fly likes Basic question about JAAS in Java ... Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "Basic question about JAAS in Java ..." Watch "Basic question about JAAS in Java ..." New topic

Basic question about JAAS in Java ...

T Masga

Joined: Jun 25, 2008
Posts: 6

I'm a java developer, and I'm used to developing web applications.

Recently I've took a closer look at JAAS, and since some time ago when I last looked into it, I still have many questions around it.

This is one subject that, no matter how many tutorials I read, there is something about it that does not compute in my head.

You know that feeling that there is just some -click- that must happen before everything clears up in the brain? I think I need something like that.

The thing is: JAAS is around for quite some time. The way I see it, when I configure the roles and authentication mechanisms in a Web Application Server, I'm using JAAS behind, even without knowing how it glues stuff together.

I can define the authentication type in application server, then I define the roles in my web application, and then on deployment, I can map them together, or I can have a specific deployment file for a specific application server that helps automating the task.

I normally define a Form Based Login, then create a custom form with j_security_check ...

But then again, the JAAS defines some config files like:

Does the application server does it behind?

Recently I've came across a software that I can install on an application server, Bonita Open Solution. Somewhere in the installation manual, I find something like:


- Copy the bonita.ear file into your JEE server deployment directory (e.g., jboss/server/default/deploy)

- Add BonitaAuth and BonitaStore login modules to the JAAS configuration for your JEE server:

o org.ow2.bonita.identity.auth.BonitaIdentityLoginModule

o org.ow2.bonita.identity.auth.BonitaRemoteLoginModule (must be stacked with your JEE JAAS propagation login module)

o edit jboss/server/default/conf/login-config.xml to add:

<application-policy name="BonitaAuth">
<login-module code="org.ow2.bonita.identity.auth.BonitaIdentityLoginModule" flag="required"/>
<application-policy name="BonitaStore">
<login-module code="org.ow2.bonita.identity.auth.BonitaRemoteLoginModule" flag="required"/>
<login-module code="" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>

- Start the server.

What confusion is this?

Shouldn't this be simpler?

Can anyone throw me a light on this stuff? Because being a java developer, I'm starting to feel really bad for not knowing what starts feel like a basic subject ...

Karthik Shiraly

Joined: Apr 04, 2009
Posts: 874

Hi, the login configuration file mentioned first is the syntax required by the default Configuration implementation provided by JRE. But it can be overridden with a custom Configuration subclass to use any format. JBoss is using XML format. It's only for authentication, not authorization.
I remember reading somewhere that JBoss uses only the JAAS authentication concepts, but implements its own authorization concepts, i.e., it doesn't use the familiar 'grant permission...' '.security' files.
I agree. Here's the link:
subject: Basic question about JAAS in Java ...
It's not a secret anymore!