J2EE JAAS - Is it worth it?

Been looking into security in regards to webapps; which until now I have just used handwritten classes for simple
username/password lookups.

I have had a play around with j_security_check/Realms with Tomcat and this all seems pretty straight forward (but nbot sure what it gives you, that doing this yourself doesn't).

But recently started looking into J2EE JAAS and got to thinking... WHat is actually that good about JAAS?


Looking at a simple example I see that it (for this example) reads in your username/password
Passes them into a LoginContext (what?) which uses a hand written CallbackHandler class which in turn calls a
LoginModule (a lot of classes going on here)

The CallbackHandler then just seems to take the username/password and set something called NameCallback & PasswordCallback
which then get passed into the LoginModule.login method which (again) sets a NameCallback & PasswordCallback
but ultimately all it then does is a simplest of simple 'isEquals' checks:

if (dbName.equals(name) && dbPwd.equals(password)) { System.out.println("Success! You get to log in!"); succeeded = true; return succeeded; } else { System.out.println("Failure! You don't get to log in"); succeeded = false; throw new FailedLoginException("Sorry! No login for you."); }
So what has JAAS actually done that a simple handwritten class which passes in a username/password encrypts the password to something like SHA-512 and then does a simple lookup of the username, gets the User object, gets the salt (however you fancy doing that) for that User and encrypts the passed in password and compares to the password related to the found username, doesn't?

Whenever I try to find an answer into why you should use JAAS, I usually just find some copy-n-pasted reference that's clearly come from the Java offical description of what JAAS is, but not actual hand-on experience of it benefits.
What makes JAAS more secure, easier, benefitial in the real World, is it more secure than a DIY authentication, or is it just a way of saying "Our website used J2EE JAAS security".

That's a good question. JAAS has never lived up to being *the* high-level security solution for Java that it was designed to be. Part of the reason is its complexity (too much for many applications), part is that it never tied in all that well with J2EE/JEE, and particularly not with web apps. See https://coderanch.com/how-to/java/SecurityFaq#jaas for some articles that give a perspective on that.

While it may look like you could replace JAAS by a few well-written classes of your own, you should resist that temptation. It's too easy to get security wrong, and thus render it ineffective. Using Tomcat's realms is way better than rolling your own.

If I were to start a big new project I'd take a long, hard look at Apache Shiro - it handles most high-level security requirements in a user-friendly way that's applicable to different environments (web app, desktop app, web service, etc.), as opposed to JAAS and servlet security that chiefly apply only to a single environment.

Hi Ulf

Thanks for the response, I thought maybe I was missing something obvious with JAAS when I read it.

I have had a little look at Shiro (although haven't got it working yet); just wondering where does Shiro compare to j_security_check? More-or-less the same, an extension or totally independent new framework?
Can you use j_security_check with digest (something like SHA512)?

Shiro is independent of j_security_check, it does its own web security thing (as outlined in http://shiro.apache.org/web.html and especially http://shiro.apache.org/web.html#Web-FormbasedLogin). But it works similarly, it's just configured differently. And it can hook into the Servlet Sesion API instead of using its own native session API, should your existing code rely on those classes.