This week's book giveaway is in the Server-Side JavaScript and NodeJS forum.
We're giving away four copies of Modern JavaScript for the Impatient and have Cay Horstmann on-line!
See this thread for details.
Win a copy of Modern JavaScript for the Impatient this week in the Server-Side JavaScript and NodeJS forum!

Brett Sanger

+ Follow
since Jul 26, 2006
Cows and Likes
Total received
In last 30 days
Total given
Total received
Received in last 30 days
Total given
Given in last 30 days
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Brett Sanger

Originally posted by Ulf Dittmer:
JAAS by itself is not the answer.

Thank you. Very informative, and I'll plow through the links you provided. A simple "this is not the complete answer" does quite a bit for resolving my confusion. (I also have evidence that it's difficult to get that answer even when explicit, so thank you again.)
12 years ago
The "web app" is on the Presentation tier. There is no business logic in the "web app". The purpose of the "web app" is to provide a GUI to a human.

I've got that:

App Server
Servlet (Controller of presentation layer)
(Model - Business Delegate to services, etc.)
(other innards here)

My issue is that when the user connects to the App Server, the app server has to identify who that user is to determine if they get sent to a login action. Presumably an SSO solution would remove such logic from the application entirely and handle it before the presentation controller is defined...but I can find no documentation about that part. (Ulf says that JAAS doesn't handle that part, which says a lot in one sentence that I've had problems locating otherwise)

Further, when the business layer attempts to perform an action, it needs to have a JAAS subject and I have no idea where I'm supposed to mystically gain that info. (Probably because I don't have the step above)

It will be difficult for you to skip the Business tier and try to stick everything in the "web apps." This style of application design conflicts with the J2EE programming model.

Part of why we're trying to convert. I _think_ the simple version of what you're saying is "Because your app server will pipe all new sessions to a JAAS-based login system (which will either be a third party package or a custom connector), mixing the authentication systems as you convert will be hard", but you didn't actually say how gaining credentials is handled, so I'm still guessing.
12 years ago
Perhaps I have phrased it badly so I'll try again.

JAAS is a standard. The code for the tier is written (except for local details).

My questions basically are:

1) Does JAAS do what I've described?

2) Assuming so, how does a web app talk to the JAAS layer and gain/pass auth info?
12 years ago
I'm not seeking a full working solution, but a how-to along the lines of:

"turn on JAAS authentication in the foo.config file, and in each web application send the FooSec cookie to your LoginContext. The authorization policy only applies to programmatic resources, so you're better off getting the subject's role (via the Subject.getRoles() call) and using that information for any app-based authorization decisions."

Such is the level of support I've come to expect from OTHER languages and frameworks. I assumed I was simply missing the right search terms this time. You seem to be saying "no, you have to guess the framework interfaces, write your own tier from scratch, or hire a consultant."
12 years ago
Sounds like you are missing a common Business tier

Well yes, that's the general idea of what we're trying to fix.

An "authorized user" is tracked in the Business tier and once authorized, they do not need to login again for the other "web apps."

Yes...What code/server changes are involved in making this happen? As I said, all the examples I've seen are single-action command line things, nothing saying HOW an app learns that a user is already authorized, nor how to determine their authorized role.

Individual security modules coded within each "web app" will prevent your attempts at SSO from working.

Again, we're trying to fix this, but we want to do it piecemeal. Convert apps A and B to use the common auth system while C and D don't (yet).

Your answer is exactly the sort of thing I've been finding: high on theory, low on implementation details. I'm sold on the theory, but I can't find any example of how to implement it (aside from the previously mentioned command-line examples) I'm sorry if I explained it poorly the first time around, but I've been googling and reading buzzword-laden papers for 2 days and I'm not much closer to an implementation.
12 years ago
My brain is full and I'm buried in buzzwords. Help would be greatly appreciated.

My workplace has a number of web apps deployed under Websphere that each have their own Security filter that forces them to login and checks their credentials against the LDAP server. All the authentication and authorization code is at the app level.

We want to migrate to a single sign-on model, so that a user off one app is recognized on others without having to re-login. I'm trying to understand what all is involved. My instructions are to stay standard and vendor-neutral. (IBM seems to have LTPA - but that's IBM only)

I've discovered that JAAS can have a common authentication module that will check against our LDAP server. What I've not been able to puzzle out is how the apps become aware of the existing authentication. (I.e. on a visit the app checks (something) to determine if the user is already authenticated, and if not, they fail the authentication and get bounced to a login screen of some variety. Currently we do that per-app in a security filter. All of the JAAS examples are single action console based things that don't cover that. )

Likewise, I'm unclear on how authorization is handled. JAAS seems to cover authorization to certain programmatic resources based on the Subject and the policy, but we're interested in having authorization info about the user to determine how (and if) our code performs.

Finally, this will have to be implemented over time as apps are converted to use it. A solution that cripples the access of any app on the server not using JAAS will cause problems.

Can someone help me fill in the missing pieces? I feel like I'm barking up the wrong tree, but clear examples are sorely missing.
12 years ago
I've got a case where I need to have a website offer a "download results" link (i.e. return non-html dynamically created data). Normally I'd just used a DownloadAction, but the company is using Struts 1.1 (I know) and that feature doesn't exist.

My google-fu has failed me. How did people do this prior to Struts 1.2?

Thanks in advance
12 years ago