This week's book giveaway is in the HTML/CSS/JavaScript forum.
We're giving away four copies of Practical SVG and have Chris Coyier on-line!
See this thread for details.
Win a copy of Practical SVG this week in the HTML/CSS/JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Basic question about JAAS in Java ...

T Masga
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I'm a java developer, and I'm used to developing web applications.

Recently I've took a closer look at JAAS, and since some time ago when I last looked into it, I still have many questions around it.

This is one subject that, no matter how many tutorials I read, there is something about it that does not compute in my head.

You know that feeling that there is just some -click- that must happen before everything clears up in the brain? I think I need something like that.

The thing is: JAAS is around for quite some time. The way I see it, when I configure the roles and authentication mechanisms in a Web Application Server, I'm using JAAS behind, even without knowing how it glues stuff together.

I can define the authentication type in application server, then I define the roles in my web application, and then on deployment, I can map them together, or I can have a specific deployment file for a specific application server that helps automating the task.

I normally define a Form Based Login, then create a custom form with j_security_check ...

But then again, the JAAS defines some config files like:

Does the application server does it behind?

Recently I've came across a software that I can install on an application server, Bonita Open Solution. Somewhere in the installation manual, I find something like:


- Copy the bonita.ear file into your JEE server deployment directory (e.g., jboss/server/default/deploy)

- Add BonitaAuth and BonitaStore login modules to the JAAS configuration for your JEE server:

o org.ow2.bonita.identity.auth.BonitaIdentityLoginModule

o org.ow2.bonita.identity.auth.BonitaRemoteLoginModule (must be stacked with your JEE JAAS propagation login module)

o edit jboss/server/default/conf/login-config.xml to add:

<application-policy name="BonitaAuth">
<login-module code="org.ow2.bonita.identity.auth.BonitaIdentityLoginModule" flag="required"/>
<application-policy name="BonitaStore">
<login-module code="org.ow2.bonita.identity.auth.BonitaRemoteLoginModule" flag="required"/>
<login-module code="" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>

- Start the server.

What confusion is this?

Shouldn't this be simpler?

Can anyone throw me a light on this stuff? Because being a java developer, I'm starting to feel really bad for not knowing what starts feel like a basic subject ...

Karthik Shiraly
Posts: 1210
Android C++ Java Linux PHP Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, the login configuration file mentioned first is the syntax required by the default Configuration implementation provided by JRE. But it can be overridden with a custom Configuration subclass to use any format. JBoss is using XML format. It's only for authentication, not authorization.
I remember reading somewhere that JBoss uses only the JAAS authentication concepts, but implements its own authorization concepts, i.e., it doesn't use the familiar 'grant permission...' '.security' files.
Message for you sir! I think it is a tiny ad:
the new thread boost feature brings a LOT of attention to your favorite threads
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!