• Post Reply Bookmark Topic Watch Topic
  • New Topic

Web Applications and JAAS  RSS feed

claude jones
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am working on a project which needs to incorporate JAAS authorization with a Servlet Container�s authentication/authorization (web.xml).
Based on my understanding, (please correct me if I'm wrong) Tomcat currently handles declarative security based on a deployment descriptor known as the web.xml file. This XML file allows you to map roles to application resources via the security-constraint tag. Once authenticated by the Servlet container, you are able to use the HttpServletRequest to get the current user principle and perform programmatic authorization checks based on roles defined for the user.
Now about JAAS. I see the benefits in using JAAS PAN architecture to define a stack of login modules which will enable you to authenticate using different data stores (LDAP, JDBC to DB, Flat File etc�) for a given enterprise application. However, in using this approach it seems like JAAS bypasses the Servlet containers authentication mechanism.
For example, based on prototype code, when using JAAS to authenticate a user in a web application, the HttpServletRequest.getUserPrinciple() is �null�. Which means I don�t have access to a user�s credential information via the HttpServletRequest.isUserInRole(String role). Is that correct?
Instead I have to work with the LoginContext.getSubject() object to retrieve the credentials/principles for a given user.
I would be nice if I could have the Servlet container handle the authentication of a user as well as utilize the benefits of web.xml�s security-constraints.
Also,I�m confused on how to map logical roles defined for a application using the jaas.policy file to an existing set of users defined across different data stores to allow programmatic authorization via the credentials/principles of a Subject.
For example, if my application has AppAdmin role, AppBasic role, and AppDev role, how would I map these logical roles to users in a existing datastore. If a client is running WebLogic I'm sure they will have roles that are similar to the ones I have defined for my application. What would be the mechanism to handle this use-case.
So after my long winded explanation, I was hoping someone would be able to provide me with some insight on this subject.
Thanks for your time,

Claude Jones
[ March 05, 2003: Message edited by: claude jones ]
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!