Ok I didn't know whether to ask it here or in Struts2 forum but since it's more JAAS related I rather ask it here. Here's the story:
I was searching for a best way to utilize the login mechanism with Struts2.
I tried container managed authentication with Tomcat which is pretty good (since it handles most of the hard work) but it's a little incompatible with Struts2 'cause Struts2 tries to be independent of underlying Servlet context.
Using JAAS with CMA is the same. In this case Tomcat uses my custom LoginModule and a JAAS realm to authenticate users instead of it's default mechanism (Correct me if I'm wrong).
All these brought me to another way which is using an login Interceptor for restricted resources. The Interceptor will redirect to the login page if the request reaches a restricted resource. Then login information is submitted to an Struts2 Action. Here I have to do the authentication manually. Given the username and password from the Action class I call my LoginModule and authentication takes place. Here's the part I can't figure out: After getting the Subject and Principals I don't know how to store them so the user is recognized across different requests to restricted resources. If I store the subject in the HttpSession I lose my LoginContext and storing the whole LoginContext in Session doesn't make sense to me.
Sorry for the long story just wanted to clear the point. Any help would be appreciated.
A Web or GUI component is on the Presentation tier at the top. And the secured data and resources are on the Integration tier on the bottom.
Ideally, a JAAS implemenation IS NOT hard-wired to stuff in the Presentation tier. Even if a technology provides a way to do it, e.g. Tomcat, Struts, etc.
Your JAAS implementation should be invoked by Business objects not Presentation objects. A Struts Action object is part of a Controller on the Presentation tier.
What you find above is how three-tier programming designs handle things. If you are working on a simple web app with limited usage, you wouldn't use JAAS. JAAS is for the big boys
Joined: Apr 04, 2008
Thanks Jimmy much appreciate your response. And what made you think I'm not a big boy
So what you're saying basically is that If I want to authenticate some one I have to make a call to a business layer object which in turn do the JAAS-related work and returns a result as a domain object (like User object).
Joined: Apr 16, 2008
Almost. If you wanted to design this in accord with Sun's J2EE programming model, then this is how you would do it. There are certainly other design options.
The JAAS-related code is for security. It shouldn't be creating domain/business object as a result. Basically, all you need is a signal from the login module, 0 or 1, yes or no, good or bad. If there is indeed other security related info needed, then this gets passed back to Business tier. Ideally, your "user" object has already been created. It just needs to be authenticated and authorized.
Aside, JAAS is typically for distributed, enterprise systems, i.e. big boys, built with enterprise-class application servers, e.g. Websphere, Weblogic, etc. These systems have the heavy security requirements which JAAS was designed to address.
Joined: Apr 04, 2008
Thank you very much. Your post was really helpful.