jQuery in Action, 2nd edition*
The moose likes Security and the fly likes JAAS with Struts2 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "JAAS with Struts2" Watch "JAAS with Struts2" New topic
Author

JAAS with Struts2

Soheil Tayari
Greenhorn

Joined: Apr 04, 2008
Posts: 29
Ok I didn't know whether to ask it here or in Struts2 forum but since it's more JAAS related I rather ask it here. Here's the story:

I was searching for a best way to utilize the login mechanism with Struts2.
I tried container managed authentication with Tomcat which is pretty good (since it handles most of the hard work) but it's a little incompatible with Struts2 'cause Struts2 tries to be independent of underlying Servlet context.
Using JAAS with CMA is the same. In this case Tomcat uses my custom LoginModule and a JAAS realm to authenticate users instead of it's default mechanism (Correct me if I'm wrong).
All these brought me to another way which is using an login Interceptor for restricted resources. The Interceptor will redirect to the login page if the request reaches a restricted resource. Then login information is submitted to an Struts2 Action. Here I have to do the authentication manually. Given the username and password from the Action class I call my LoginModule and authentication takes place. Here's the part I can't figure out: After getting the Subject and Principals I don't know how to store them so the user is recognized across different requests to restricted resources. If I store the subject in the HttpSession I lose my LoginContext and storing the whole LoginContext in Session doesn't make sense to me.
Sorry for the long story just wanted to clear the point. Any help would be appreciated.
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
Presentation Tier

Business Tier

Integration Tier


A Web or GUI component is on the Presentation tier at the top. And the secured data and resources are on the Integration tier on the bottom.

Ideally, a JAAS implemenation IS NOT hard-wired to stuff in the Presentation tier. Even if a technology provides a way to do it, e.g. Tomcat, Struts, etc.

Your JAAS implementation should be invoked by Business objects not Presentation objects. A Struts Action object is part of a Controller on the Presentation tier.

What you find above is how three-tier programming designs handle things. If you are working on a simple web app with limited usage, you wouldn't use JAAS. JAAS is for the big boys
Soheil Tayari
Greenhorn

Joined: Apr 04, 2008
Posts: 29
Thanks Jimmy much appreciate your response. And what made you think I'm not a big boy
So what you're saying basically is that If I want to authenticate some one I have to make a call to a business layer object which in turn do the JAAS-related work and returns a result as a domain object (like User object).
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
Almost. If you wanted to design this in accord with Sun's J2EE programming model, then this is how you would do it. There are certainly other design options.

The JAAS-related code is for security. It shouldn't be creating domain/business object as a result. Basically, all you need is a signal from the login module, 0 or 1, yes or no, good or bad. If there is indeed other security related info needed, then this gets passed back to Business tier. Ideally, your "user" object has already been created. It just needs to be authenticated and authorized.

Aside, JAAS is typically for distributed, enterprise systems, i.e. big boys, built with enterprise-class application servers, e.g. Websphere, Weblogic, etc. These systems have the heavy security requirements which JAAS was designed to address.
Soheil Tayari
Greenhorn

Joined: Apr 04, 2008
Posts: 29
Thank you very much. Your post was really helpful.
 
 
subject: JAAS with Struts2