Win a copy of TDD for a Shopping Website LiveProject this week in the Testing forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Jeanne Boyarsky
  • Tim Cooke
  • Liutauras Vilda
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Frits Walraven
  • Piet Souris
  • Himai Minh

Web Applications and JAAS

Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am working on a project which needs to incorporate JAAS authorization with a Servlet Container�s authentication/authorization (web.xml).
Based on my understanding, (please correct me if I'm wrong) Tomcat currently handles declarative security based on a deployment descriptor known as the web.xml file. This XML file allows you to map roles to application resources via the security-constraint tag. Once authenticated by the Servlet container, you are able to use the HttpServletRequest to get the current user principle and perform programmatic authorization checks based on roles defined for the user.
Now about JAAS. I see the benefits in using JAAS PAN architecture to define a stack of login modules which will enable you to authenticate using different data stores (LDAP, JDBC to DB, Flat File etc�) for a given enterprise application. However, in using this approach it seems like JAAS bypasses the Servlet containers authentication mechanism.
For example, based on prototype code, when using JAAS to authenticate a user in a web application, the HttpServletRequest.getUserPrinciple() is �null�. Which means I don�t have access to a user�s credential information via the HttpServletRequest.isUserInRole(String role). Is that correct?
Instead I have to work with the LoginContext.getSubject() object to retrieve the credentials/principles for a given user.
I would be nice if I could have the Servlet container handle the authentication of a user as well as utilize the benefits of web.xml�s security-constraints.
Also,I�m confused on how to map logical roles defined for a application using the jaas.policy file to an existing set of users defined across different data stores to allow programmatic authorization via the credentials/principles of a Subject.
For example, if my application has AppAdmin role, AppBasic role, and AppDev role, how would I map these logical roles to users in a existing datastore. If a client is running WebLogic I'm sure they will have roles that are similar to the ones I have defined for my application. What would be the mechanism to handle this use-case.
So after my long winded explanation, I was hoping someone would be able to provide me with some insight on this subject.
Thanks for your time,

Claude Jones
[ March 05, 2003: Message edited by: claude jones ]
A teeny tiny vulgar attempt to get you to buy our stuff
free, earth-friendly heat - a kickstarter for putting coin in your pocket while saving the earth
    Bookmark Topic Watch Topic
  • New Topic