JAAS for human beings

java security spring spring-security jaas
32,327

Solution 1

Here are some of the links I used to help understand JAAS:

http://www.owasp.org/index.php/JAAS_Tomcat_Login_Module

http://www.javaworld.com/jw-09-2002/jw-0913-jaas.html

http://jaasbook.wordpress.com/

http://roneiv.wordpress.com/2008/02/18/jaas-authentication-mechanism-is-it-possible-to-force-j_security_check-to-go-to-a-specific-page/

Also have a look at the Apache tomcat realms configuration how-to:

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

Solution 2

Other users have provide some very useful links above so I am not going to bother with links. I have done a similar research in JAAS for web application and has ran into a "mind roadblock" until I finally realize JAAS is a framework tackling security at a different "layer" then web applications in the Java World. It is build to tackle security issues in Java SE not Java EE.

JAAS is a security framework built for securing things at a much lower level then web-application. Some example of these things are code and resources available at the JVM level, hence all these ability to set policy files in the JVM level.

However, since Java EE is built on top of Java SE, a few modules from JAAS were reused in Java EE security such as the LoginModules and Callbacks.

Note that in addition to Java EE security, there is also Spring security (formerly known as Acegi), which similar to native Java EE security tackles a much higher "layer" in the securing web-application problem. It is a separate security implementation and is not built on top of standard Java EE security, although it behaves similarly in many regards.

To summarize, unless you are looking to secure resources in the Java SE level (classes, System resources), I don't see any real use of JAAS other than the using the common class and interfaces. Just focus on using Spring Security or plain old Java EE security which both solve a lot of common web application security problems.

Solution 3

javax.security is imho overcomplicated API. As a result there are implementors of not only LoginModules, but the entire authentication and authorization api, that creates abstraction layer above, like Authentication & Authorization managers.

For starters, it is good to print this into your memory.

Secondly, imho the most simple, setup & go library for JAAS is Jboss PicketBox. It says how to do authentication and authorization via JBossAuthenticationManager and JBossAuthorizationManager ... Easily configurable via XML or Annotations. You can use it for managing both webapps and standalone applications.

If you need the authorization part for managing repository access, in terms of ACL for resources, this is what you are looking for sure.

Problem with the security is, that usually you need to customize it to your needs, so you may end up implementing :

LoginModule - verifies userName + Password

CallbackHandler is used like this new LoginContext("Sample", new MyCallbackHandler());

CallbackHandler is passed to the underlying LoginModules so they may communicate and interact with users - prompting for a username and password via a graphical user interface, for example. So inside of the Handler you get the username and password from user and it is passed to the LoginModule.

LoginContext - then you just call lc.login(); and authenticate the credentials. LoginContext is populated with the authenticated Subject.

However Jboss picketbox gives you a really easy way to go, unless you need something specific.

Solution 4

lsiu's answer is one the few answers here that really "get it" ;)

Adding to that answer, a really good reference on this topic is Whatever Happened to JAAS?.

It explains how JASPIC is the link in Java EE between the Servlet and EJB security models and potentially a JAAS login module, but that in many cases JAAS' role is reduced to that of a relatively simple username and roles provider in Java EE.

From the same author is JAAS in the Enterprise, which is an older article but provides a lot of historical background on why the Java SE (JAAS) and Java EE models diverged the way they did.

Overall but a few types from JAAS are directly used in Java EE, basically Principal , Subject, and CallbackHandler. The latter two are mainly used by JASPIC. I've explained JASPIC in the article Implementing container authentication in Java EE with JASPIC.

Solution 5

I can't speak too much to JAAS itself, but this "suggested steps" guide on Spring Security and the reference manual are both pretty good resources on Spring Security - if your setup is anything close to simple, you don't really need to do much more than read these.

Share:
32,327

Related videos on Youtube

Dan
Author by

Dan

Updated on April 02, 2020

Comments

  • Dan
    Dan about 4 years

    I am having a hard time understanding JAAS. It all seems more complicated than it should be (especially the Sun tutorials). I need a simple tutorial or example on how to implement security (authentication + authorization) in java application based on Struts + Spring + Hibernate with custom user repository. Can be implemented using ACEGI.

    • Guido Anselmi
      Guido Anselmi over 10 years
      Awesome question. Great pithy title for a legitimate documentation failure.
    • cristiandley
      cristiandley over 8 years
      Best Q&A on JAAS. I'v been having a really hard time trying to start with it.
    • pss1suporte
      pss1suporte about 7 years
      @mattb , I would like to make an addendum, if possible. I believe that my answer may help in understanding your question. Conceptually saying.
  • aliopi
    aliopi over 12 years
    The "suggested steps" guide has moved here: static.springsource.org/spring-security/site/start-here.html
  • jacktrades
    jacktrades over 11 years
    Java EE 6 Tutorial assumes understanding basic security concepts, so a little overview of JAAS won't hurt.
  • David Hofmann
    David Hofmann about 8 years
    Best explanation on JAAS ever!
  • Eric B.
    Eric B. almost 8 years
    The linke for jaasbook is dead. It has now been moved to jaasbook.wordpress.com
  • pss1suporte
    pss1suporte about 7 years
    @Martlark , I would like to make an addendum, if possible. I believe that my answer may help in understanding your answer. Conceptually saying.
  • pss1suporte
    pss1suporte about 7 years
    @isiu, I would like to make an addendum, if possible. I believe that my answer may help in understanding your answer. Conceptually saying.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Spring security authrorize based on input parameter criteria
Spring Boot Security redirect after successful login - undefined
How to integrate Spring Security and Struts2
Spring-Security: Return Status 401 When AuthenticationManager Throws BadCredentialsException
How to interpret hasPermission in spring security?
Spring Security custom UserDetailsService and custom User class
SecurityContextHolder.getContext().getAuthentication() returning null
Spring Security - Access is denied (user is not anonymous) spring-security-core-4.0.3.RELEASE
Spring Security, Method Security annotation (@Secured ) is not working (java config)
antMatchers Spring Security pattern with changeable URL user ID