Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Basic question about JAAS in Java ...  RSS feed

T Masga
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I'm a java developer, and I'm used to developing web applications.

Recently I've took a closer look at JAAS, and since some time ago when I last looked into it, I still have many questions around it.

This is one subject that, no matter how many tutorials I read, there is something about it that does not compute in my head.

You know that feeling that there is just some -click- that must happen before everything clears up in the brain? I think I need something like that.

The thing is: JAAS is around for quite some time. The way I see it, when I configure the roles and authentication mechanisms in a Web Application Server, I'm using JAAS behind, even without knowing how it glues stuff together.

I can define the authentication type in application server, then I define the roles in my web application, and then on deployment, I can map them together, or I can have a specific deployment file for a specific application server that helps automating the task.

I normally define a Form Based Login, then create a custom form with j_security_check ...

But then again, the JAAS defines some config files like:

Does the application server does it behind?

Recently I've came across a software that I can install on an application server, Bonita Open Solution. Somewhere in the installation manual, I find something like:


- Copy the bonita.ear file into your JEE server deployment directory (e.g., jboss/server/default/deploy)

- Add BonitaAuth and BonitaStore login modules to the JAAS configuration for your JEE server:

o org.ow2.bonita.identity.auth.BonitaIdentityLoginModule

o org.ow2.bonita.identity.auth.BonitaRemoteLoginModule (must be stacked with your JEE JAAS propagation login module)

o edit jboss/server/default/conf/login-config.xml to add:

<application-policy name="BonitaAuth">
<login-module code="org.ow2.bonita.identity.auth.BonitaIdentityLoginModule" flag="required"/>
<application-policy name="BonitaStore">
<login-module code="org.ow2.bonita.identity.auth.BonitaRemoteLoginModule" flag="required"/>
<login-module code="" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>

- Start the server.

What confusion is this?

Shouldn't this be simpler?

Can anyone throw me a light on this stuff? Because being a java developer, I'm starting to feel really bad for not knowing what starts feel like a basic subject ...

Karthik Shiraly
Posts: 1210
Android C++ Java Linux PHP Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, the login configuration file mentioned first is the syntax required by the default Configuration implementation provided by JRE. But it can be overridden with a custom Configuration subclass to use any format. JBoss is using XML format. It's only for authentication, not authorization.
I remember reading somewhere that JBoss uses only the JAAS authentication concepts, but implements its own authorization concepts, i.e., it doesn't use the familiar 'grant permission...' '.security' files.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!