4 Replies Latest reply on Oct 5, 2001 9:14 AM by pitdingo

    Jaas

    faisalab

      I am just wondering whether Jaas can provide an efficient security for j2ee!

      faisal

        • 1. Re: Jaas
          jwkaltz

          What makes you think it doesn't ?
          Since it is the Java security-related API, it seems to me it makes sense to build security in J2EE upon this API.

          • 2. Re: Jaas
            pitdingo

            the more i see of it, JAAS is non-portable and poorly thought out.


            1) If you do a manual login, it is only for that thread. The only way to bind it to the container for further access is to call a Server specific method. The ability to bind your authenticated user to the container should be provided by the LoginContext Object, or some other JAAS Object.

            2) If you want to do something like have multiple parameters on your login web page, you have to use javascript to combine fields into the j_username and j_password fields to pass to j_security_check and parse them in your login module. This is bad design.

            3) The Callback mechanism does not map cleanly to the web environment. What does a 'prompt' have to do with an HTML form? There really should be a HTMLCallback class that takes the form element name of what to retrieve.

            4) The Principal Objects you create in your LoginModule are not the Principal Objects you get from the httpServletRequest.getUserPrincipal() method. (This could just be a bug in JBoss). If i use instanceof on the principal returned from the getUserPrinicipal() method, it is not of the type created in my custom LoginModule.

            • 3. Re: Jaas
              jwkaltz

              I think it is important that we keep the two issues separate: there is JAAS which a security API coming from Sun. It is definitely portable, in itself. Then there is JBossSX, which provides security in JBoss and which uses JAAS for the login part.
              So there are two discussions : one is whether JAAS is well-defined or missing things. Perhaps an HTMLCallback would be a good thing ? But then, you should discuss it in a Sun Forum.
              The other discussion is, whether the JBossSX architecture is a good one. Clearly, EJB security as implemented in JBoss is non-portable, but how could it be ? The JAAS part defines the login module, which by its own is portable, but the integration of JAAS in an EJB environment is not standardized so how it can't be portable. My understanding is, the JBossSX authors hopes are that JAAS will be used in the future as the standard for building EJB security. If Sun releases such a standard, then it will (perhaps) be possible to implement portable security mechanisms.

              Your comments about web forms are probably valid, but remember that web page issues are in fact separate EJBs / JBossSX / JAAS. In our application we are not using the provided web page mechanisms. So, perhaps the default HTML form mappings are not adequate, I don't know, but that shouldn't affect the EJB security architecture as such.

              • 4. Re: Jaas
                pitdingo


                i am not saying JBoss is a bad product; I think JBoss is a great product and its authors are doing a great job.

                JAAS is in the J2EE 1.3 spec, although it leaves a lot to the imagination. I am just frustrated by the lack of vision it comes from.


                > I think it is important that we keep the two issues
                > separate: there is JAAS which a security API coming
                > from Sun. It is definitely portable, in itself. Then
                > there is JBossSX, which provides security in JBoss
                > and which uses JAAS for the login part.
                > So there are two discussions : one is whether JAAS is
                > well-defined or missing things. Perhaps an
                > HTMLCallback would be a good thing ? But then, you
                > should discuss it in a Sun Forum.
                > The other discussion is, whether the JBossSX
                > architecture is a good one. Clearly, EJB security as
                > implemented in JBoss is non-portable, but how could
                > it be ? The JAAS part defines the login module, which
                > by its own is portable, but the integration of JAAS
                > in an EJB environment is not standardized so how it
                > can't be portable. My understanding is, the JBossSX
                > authors hopes are that JAAS will be used in the
                > future as the standard for building EJB security. If
                > Sun releases such a standard, then it will (perhaps)
                > be possible to implement portable security
                > mechanisms.
                >
                > Your comments about web forms are probably valid, but
                > remember that web page issues are in fact separate
                > EJBs / JBossSX / JAAS. In our application we are not
                > using the provided web page mechanisms. So, perhaps
                > the default HTML form mappings are not adequate, I
                > don't know, but that shouldn't affect the EJB
                > security architecture as such.

                HTML form mapping would coexist with the other classes.