I'm working on implementing authentication mechanisms for a web application. The web tier components will be accessing business objects implemented as EJBs (mainly session beans). The business objects will also be accessed by remote systems through RMI as well as using web service protocols. I've been trying to figure out whether JAAS would be the right framework for implementing the authentication mechanism requirements that have been identified.
I'm a bit new to JAAS, so I'd appreciate feedback on whether JAAS is the right choice in this case as well as some pointers on how the requirements can best be implemented. Here're some of the requirements that gathered so far:
- I need to be able to support different authentication mechanisms for the protected resources simultaneusly. I need to support at least the following mechanisms: HTTP basic authentication, form based (username & password + session cookie) and MS NTLM. Can JAAS support different authentication mechanisms simultaneously for different users?
- User authentication information can be stored in different places: MS Activedirectory or Apache htpasswd files.
- user's can have different group memberships in different workspaces in the application. Users are not re-authenticated when they navigate from one workspace to another. How do I set group memberships dynamically with JAAS for the user, so that group memberships are automatically updated when switching between workspaces?
- how portable are JAAS login modules? Can I run a database login module on different application servers?
- access control is data object based (vs. web resource based), for each data object there's a list of groups and operations that each group can perform on the object. There can be millions of data objects so access should be authorized in a database query (performance will hurt if e.g. 5 million objects are loaded from the database and isUserInRole() is called for each). How do I get a list of roles which the user currently has so that I can include that list in the database query for authorization purposes?