aspose file tools*
The moose likes Architect Certification (SCEA/OCMJEA) and the fly likes Differences between authorisation in JAAS and EJB security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Certification » Architect Certification (SCEA/OCMJEA)
Bookmark "Differences between authorisation in JAAS and EJB security" Watch "Differences between authorisation in JAAS and EJB security" New topic
Author

Differences between authorisation in JAAS and EJB security

Luke Murphy
Ranch Hand

Joined: May 12, 2010
Posts: 300
HI,
Both EJB and JAAS offer mechanisms where you can stop some users doing certain things.
In EJB, you can annotate business methods and in JAAS you can configure Principal's privileges in policy files.

I am trying to get into my head the differences between authorisation in JAAS and authorisation in EJB.

How about this:

1. The JAAS, anything that requires privileges is put into a class which implements the java.security.PrivilegedAction. This means that some code that isn't even an EJB can have some it's priviledges restricted.

2. In JAAS the range of privileges are defined by the security model. They consist of things like file access, reading certain system properties etc. The EJB security access doesn't have any configuration for things like file access or reading system properties. You'd have to put the parts of your code into methods that did this and then annotate those methods.

3. In EJB the authorisation consists only of whether it is permissable for a user to execute a certain method or not. JAAS doesn't provide this out of the box. I think you could check the principal at runtime and then write some if / else logic but it doesn't come out of the box.

Correct me if I am wrong on any of the above and feel free to add any key conceptual difference between the two I have missed.

Thanks!
Luke Murphy
Ranch Hand

Joined: May 12, 2010
Posts: 300
4.
Because the authorisation in JAAS uses the policy / permission framework, it works on a jar file level whereas the EJB annotations can of course be much more fine grained.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Differences between authorisation in JAAS and EJB security