• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
  • Mikalai Zaikin

Basic Security Questions

Posts: 14
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a few basic questions. We are developing a typical application using Websphere 5.0 that has both a web tier (eg Struts) and an EJB tier.
a) We plan on using form-based authentication (with SSL) -- can we use JAAS to authenticate the user against IBM Directory Server? Which approach would I use to achieve this, ie integrate JAAS with Struts or use form-based custom authentication or is their some other approach that is better?
b) Once the user is authenticated in the web tier and they make a call into the ejb tier, I assume the security context passed in means that they arent re-authenticated via JAAS again in the ejb tier?
c) Does JAAS have to be setup separately for both the web and ejb tiers?
d) Given that both the web and ejb tier have their own deployment descriptors is their anyway to consolidate the information, or does this have to be duplicated in each deployment descriptor?

many thanks,
Posts: 367
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The first couple questions are websphere specific, so I can't really give you authoritative answers in that context, but if it's anything like JBoss, you declare you JAAS domain at the appserver and bind your web/ejb layers to it in the vendor deployment descriptors.

On the last question, XDoclet is a great way to consolidate your deployment information. You can put the deployment information in your source and, if you want, share common values from ant properties. (most likely in a property file)
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
    Bookmark Topic Watch Topic
  • New Topic