• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Tim Cooke
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
  • Liutauras Vilda
  • Henry Wong
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Al Hobbs
  • Carey Brown
  • Piet Souris
  • Mikalai Zaikin
  • Himai Minh

Basic question about JAAS in Java ...

Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I'm a java developer, and I'm used to developing web applications.

Recently I've took a closer look at JAAS, and since some time ago when I last looked into it, I still have many questions around it.

This is one subject that, no matter how many tutorials I read, there is something about it that does not compute in my head.

You know that feeling that there is just some -click- that must happen before everything clears up in the brain? I think I need something like that.

The thing is: JAAS is around for quite some time. The way I see it, when I configure the roles and authentication mechanisms in a Web Application Server, I'm using JAAS behind, even without knowing how it glues stuff together.

I can define the authentication type in application server, then I define the roles in my web application, and then on deployment, I can map them together, or I can have a specific deployment file for a specific application server that helps automating the task.

I normally define a Form Based Login, then create a custom form with j_security_check ...

But then again, the JAAS defines some config files like:

Does the application server does it behind?

Recently I've came across a software that I can install on an application server, Bonita Open Solution. Somewhere in the installation manual, I find something like:


- Copy the bonita.ear file into your JEE server deployment directory (e.g., jboss/server/default/deploy)

- Add BonitaAuth and BonitaStore login modules to the JAAS configuration for your JEE server:

o org.ow2.bonita.identity.auth.BonitaIdentityLoginModule

o org.ow2.bonita.identity.auth.BonitaRemoteLoginModule (must be stacked with your JEE JAAS propagation login module)

o edit jboss/server/default/conf/login-config.xml to add:

<application-policy name="BonitaAuth">
<login-module code="org.ow2.bonita.identity.auth.BonitaIdentityLoginModule" flag="required"/>
<application-policy name="BonitaStore">
<login-module code="org.ow2.bonita.identity.auth.BonitaRemoteLoginModule" flag="required"/>
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>

- Start the server.

What confusion is this?

Shouldn't this be simpler?

Can anyone throw me a light on this stuff? Because being a java developer, I'm starting to feel really bad for not knowing what starts feel like a basic subject ...

Posts: 1210
Android Python PHP C++ Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, the login configuration file mentioned first is the syntax required by the default Configuration implementation provided by JRE. But it can be overridden with a custom Configuration subclass to use any format. JBoss is using XML format. It's only for authentication, not authorization.
I remember reading somewhere that JBoss uses only the JAAS authentication concepts, but implements its own authorization concepts, i.e., it doesn't use the familiar 'grant permission...' '.security' files.
    Bookmark Topic Watch Topic
  • New Topic