• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Why JAAS ?

clojure forum advocate
Posts: 3479
Mac Objective C Clojure
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hey all.
I am just wondering about the importance of JAAS.
when to use JAAS ?
EJB and servlet architecture has already to types of security :
declerative and programmatic.
if we have already these approaches, why to use JAAS ?
Ranch Hand
Posts: 393
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well it depends on your Architecture.Suppose you are using EJB.Then we don't need use JAAS,as we can use EJB security

Actually JAAS can be used as authentication technology for servlets. One important feature of JAAS is pure Java implementation. The JAAS infrastructure is divided into two main components: an authentication component and an authorization component. The JAAS authentication component provides the ability to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet.

It's totally depends on Architecture to Architecture.I don't know much about JAAS,I have just done through this

Hope above helps !!
[ September 03, 2004: Message edited by: james edwin ]
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
JAAS is intended as a plugable authentication service. Sun's intention (in the J2EE world anyway) is that security can become seperate from vendor specific code as much as possible. Instead of defining a lot of security stuff in the container's security - which can be quite involved, and possibly will affect other applications deployed in the same container - they want you to define a LoginModule which you can deploy as part of your application so everything your application needs including security is all in one EAR.

JAAS can be very useful for wrapping odd, legacy security mechanism. It can also be useful using programatic security when you find declarative security works fopr most cases, except for the odd exceptional case.

However, how well this is implemented varies across vendors. For example WebSphere in particular is a big problem - since you can't yet (in 5.1) use a LoginModule as the primary (or only) authentication mechanism with web apps using form based authentication. You still have to use a Custom User Registry. WebSphere also implements its own versions of some of the key classes involed in JAAS (WSSubject and WSCredentials) which dilutes the standard.
knowledge is the difference between drudgery and strategic action -- tiny ad
Thread Boost feature
    Bookmark Topic Watch Topic
  • New Topic