The moose likes JSF and the fly likes JSF, JAAS, and Tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSF
Bookmark "JSF, JAAS, and Tomcat" Watch "JSF, JAAS, and Tomcat" New topic

JSF, JAAS, and Tomcat

Chuck Syp

Joined: Feb 05, 2010
Posts: 5
I am pretty new to JSF, and so far I love it, with the exception of authorization and authentication. I have been looking for a good tutorial to get me going using JAAS with JSF and tomcat for a while and have only found fragments. Does anyone know of a good online resource or book that could help me wrap my head around this. What I am trying to do isn't that uncommon, I am trying to authenticate a user against a mysql database table or a LDAP server.

Thanks in advance for anyone that can help.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17417

JAAS is a particular security framework, but the fundamental framework for J2EE is Container Managed Authentication and Authorization. It's not JAAS, although Tomcat can use JAAS as one of the security realm options.

The J2EE CMA&A model is based on an externally-defined "black box" A&A provider, known as a Realm. Basically, the Realm answers one of 2 questions:

1. Is the supplied userid/password combination valid?

2. Is the user a participant in security role "X" (X being supplied as a parameter).

The container itself also interacts. It matches incoming URLs against the security URL patterns in order to determine if the user needs to be authenticated (logged in) and what roles a given URL may service.

Because the Realm is defined through a standard interface, you can select a Realm, such as the JDBCRealm, LDAP Realm, JAAS Realm, or even supply a custom realm for use with specialized systems such as a Web Services-based security API.

Documentation on developing webapps that interface with the J2EE Container Managed A&A subsystem is provided in most books on basic J2EE, especially those that cover servlets and JSPs. Documentation on setting up and configuring a Realm is part of the server documentation, and the Tomcat Realm documentation is fairly good.

An IDE is no substitute for an Intelligent Developer.
Kamal Wickramanayake

Joined: Jul 10, 2010
Posts: 27
Again, not JAAS, but have a look at Using Spring Security in your Java web application.

I am sure you will love it. MySQL, LDAP and many other authentication mechanisms are possible.
I agree. Here's the link:
subject: JSF, JAAS, and Tomcat
It's not a secret anymore!