2 Replies Latest reply on Mar 2, 2006 7:41 PM by cchoi

Rudimentary questions about how JAAS works

cchoi Mar 2, 2006 4:40 PM

Hello,

This is a rudimentary question but I?m not sure what the authenticated entity ACTUALLY is in a web app. Is it the session or the object in which JAAS authentication occurred??

For example, consider a user who wants to access a secured EJB though a web application. A user would login in the JSF login page and the backing bean will authenticate the user using the JAAS API (using JBoss? client-login for e.g.).
In this case, is the user considered authenticated as long as the session is maintained?? Or is it only the backing bean object that can access the secured area??

Related question: how does the client-side authenticated subject propagate to EJB side? Is it attached in the EJB home create() method call?? If so, by who??

Thanks for help in advance.
Chulwoo

1. Re: Rudimentary questions about how JAAS works

j2ee_junkie Mar 2, 2006 5:03 PM (in response to cchoi)

Good Day cchoi,

In the Tomcat servlet container, an authenticated entity is stored as a Principal in the Session. This principal is really an extension of java.security.Principal that also stores an array of String "roles". On every request (if a web app has configured to use Container Managed Security), a check is made to see if request has a security constraint, if there is a Principal , and if the Principal has the role configured as constraint.

If your Tomcat server is embedded in JBoss, then this principal and the original credentials (i.e. password) are sent with each request to EJB Container. You can look at the org.jboss.web.tomcat.security.SecurityAssocationValve for more details.

As well, you should read Chapter 8 of the server guide
http://docs.jboss.org/jbossas/jboss4guide/r3/html/ch8.chapter.html

hope this helps clearify, cgriffith
Actions
2. Re: Rudimentary questions about how JAAS works

cchoi Mar 2, 2006 7:41 PM (in response to cchoi)

Thanks for reply, cgriffith :)
Actions

Go to original post