LoginModules (jaas) and EJB

Dear All!

I'm a beginner and I need someone's advice on such subject:

I'm writing an j2ee application and I store user data as an entity bean. In this bean I keep the passwords and login's too.

Now I'm implementing the web interface and I'm wondering how to secure it. I'm using jboss and it is using jaas. I think that I should write a custom login modulo which would take the data from EJB, is this a good idea ? If not what solutions are better?

Thanks in advance for your help

Karol Oslowski

It depends on your requirements, especially how fine-grained you need security to be. If you have your user data in a relational DB already, and it is sufficient to assign various roles to them after they are authenticated, it may be sufficient to use servlet security (i.e., setting up a realm, and hooking it up in your web.xml). It#s a programmatic approach, where you check whether a user has certain role before executing actions that require specific role privileges.
If you want/need to handle access declaratively, possibly even on a per-method basis, JAAS would be the way to go. JAAS is much more powerful, but also a lot more involved to implement.

Thank you for your answer. But actualy my concern was mainly wheter it is nice (well designed) to keep user data (such as login's and passwords) in an Entity Bean with CMP.

Thanks again

k.

As long as you ensure that not just any old web application can get access to the user information, I see no problem with using EJBs.