The Artima Developer Community
Articles | News | Weblogs | Books | Forums
Artima Forums | Articles | Weblogs | Java Answers | News
Sponsored Link

Java Answers Forum
Web Applications and JAAS

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
Claude Jones

Posts: 1
Nickname: cjones3
Registered: Mar, 2003

Web Applications and JAAS Posted: Mar 5, 2003 5:10 PM
Reply to this message Reply
Advertisement
Hello,

I am working on a project which needs to incorporate JAAS authorization with a Servlet Container?s authentication/authorization (web.xml).

Based on my understanding, (please correct me if I'm wrong) Tomcat currently handles declarative security based on a deployment descriptor known as the web.xml file. This XML file allows you to map roles to application resources via the security-constraint tag. Once authenticated by the Servlet container, you are able to use the HttpServletRequest to get the current user principle and perform programmatic authorization checks based on roles defined for the user.

Now about JAAS. I see the benefits in using JAAS PAN architecture to define a stack of login modules which will enable you to authenticate using different data stores (LDAP, JDBC to DB, Flat File etc?) for a given enterprise application. However, in using this approach it seems like JAAS bypasses the Servlet containers authentication mechanism.

For example, based on prototype code, when using JAAS to authenticate a user in a web application, the HttpServletRequest.getUserPrinciple() is ?null?. Which means I don?t have access to a user?s credential information via the HttpServletRequest.isUserInRole(String role). Is that correct?

Instead I have to work with the LoginContext.getSubject() object to retrieve the credentials/principles for a given user.

I would be nice if I could have the Servlet container handle the authentication of a user as well as utilize the benefits of web.xml?s security-constraints.

Also,I?m confused on how to map logical roles defined for a application using the jaas.policy file to an existing set of users defined across different data stores to allow programmatic authorization via the credentials/principles of a Subject.

For example, if my application has AppAdmin role, AppBasic role, and AppDev role, how would I map these logical roles to users in a existing datastore. If a client is running WebLogic I'm sure they will have roles that are similar to the ones I have defined for my application. What would be the mechanism to handle this use-case.

So after my long winded explanation, I was hoping someone would be able to provide me with some insight on this subject.

Thanks for your time,


Claude Jones

Topic: j2ee projects Previous Topic   Next Topic Topic: java
Sponsored Links


Google
  Web Artima.com   

Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use