Help coderanch get a
new server
by contributing to the fundraiser
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Tim Moores
  • Carey Brown
  • Mikalai Zaikin
Bartenders:
  • Lou Hamers
  • Piet Souris
  • Frits Walraven

JAAS with Struts2

 
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ok I didn't know whether to ask it here or in Struts2 forum but since it's more JAAS related I rather ask it here. Here's the story:

I was searching for a best way to utilize the login mechanism with Struts2.
I tried container managed authentication with Tomcat which is pretty good (since it handles most of the hard work) but it's a little incompatible with Struts2 'cause Struts2 tries to be independent of underlying Servlet context.
Using JAAS with CMA is the same. In this case Tomcat uses my custom LoginModule and a JAAS realm to authenticate users instead of it's default mechanism (Correct me if I'm wrong).
All these brought me to another way which is using an login Interceptor for restricted resources. The Interceptor will redirect to the login page if the request reaches a restricted resource. Then login information is submitted to an Struts2 Action. Here I have to do the authentication manually. Given the username and password from the Action class I call my LoginModule and authentication takes place. Here's the part I can't figure out: After getting the Subject and Principals I don't know how to store them so the user is recognized across different requests to restricted resources. If I store the subject in the HttpSession I lose my LoginContext and storing the whole LoginContext in Session doesn't make sense to me.
Sorry for the long story just wanted to clear the point. Any help would be appreciated.
 
Ranch Hand
Posts: 2187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Presentation Tier

Business Tier

Integration Tier


A Web or GUI component is on the Presentation tier at the top. And the secured data and resources are on the Integration tier on the bottom.

Ideally, a JAAS implemenation IS NOT hard-wired to stuff in the Presentation tier. Even if a technology provides a way to do it, e.g. Tomcat, Struts, etc.

Your JAAS implementation should be invoked by Business objects not Presentation objects. A Struts Action object is part of a Controller on the Presentation tier.

What you find above is how three-tier programming designs handle things. If you are working on a simple web app with limited usage, you wouldn't use JAAS. JAAS is for the big boys
 
Soheil Tayari
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Jimmy much appreciate your response. And what made you think I'm not a big boy
So what you're saying basically is that If I want to authenticate some one I have to make a call to a business layer object which in turn do the JAAS-related work and returns a result as a domain object (like User object).
 
Jimmy Clark
Ranch Hand
Posts: 2187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Almost. If you wanted to design this in accord with Sun's J2EE programming model, then this is how you would do it. There are certainly other design options.

The JAAS-related code is for security. It shouldn't be creating domain/business object as a result. Basically, all you need is a signal from the login module, 0 or 1, yes or no, good or bad. If there is indeed other security related info needed, then this gets passed back to Business tier. Ideally, your "user" object has already been created. It just needs to be authenticated and authorized.

Aside, JAAS is typically for distributed, enterprise systems, i.e. big boys, built with enterprise-class application servers, e.g. Websphere, Weblogic, etc. These systems have the heavy security requirements which JAAS was designed to address.
 
Soheil Tayari
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you very much. Your post was really helpful.
 
reply
    Bookmark Topic Watch Topic
  • New Topic