Is JAAS security in Java EE based web application server dependent?

3
votes

I'm new to Java EE development however I'm going well in it, I'm a bit confused with the security part of my application.

I have read a few articles on how I can implement JAAS security in my Java EE web application. This is what I read & understood, all he others were unclear: http://uaihebert.com/user-login-validation-with-jaas-and-jsf/

The example is great and all but it configures the JBoss server, Im not using JBoss and I'm not intending to. If I were to use JAAS do I need to configure the local web server I'm running (developing) on? Perhaps there are some things I don't really understand about JAAS? And if I were to follow that example and use JBoss and configure it as they did. when I deploy my web application as a war file, and I uploaded the war file lets say on a tomcat server, will it still be secured?

Any help/guidance would be extremely appreciated! Thanks!

1
tomcatjakarta-eejbossjaas
how jaas should be configured is indeed server dependent and not related in any way to jsf. That is why (at least what I think) has not taken off - Kukeltje
@Kukeltje Thanks for your reply :) I see, so if I develop my application on lets say jboss then deploy a war it wont be secured on any other server ? that's what i understood from your "server dependent", am I right? thanks again - Abu Assadeq
Related: stackoverflow.com/q/35994641 - BalusC
@Uux you mean JACC ;) It really isn't that bad and an interesting foundation. It just didn't had anyone pushing it further. It has been maintained but not modernised. Such a shame. It most misses a Factory to register JACC providers. - Mike Braun
@Uux Following the EG list I get the impression there's nobody present at all from the original people behind JAAS, JASPIC, JACC and security parts in individual specs in Java EE. Especially the mails from the first month made it look like people "just" wanted something DeltaSpike like (do everything in CDI, ignore existing things). I'm afraid that without a JACC MR to provide a factory, JSR 375 cannot utilise JACC. Because Oracle is in a kind of shutdown mode now I'm also afraid we won't be seeing that MR 😔 - Mike Braun

1 Answers

4
votes

JAAS security doesn't exist in Java EE. JAAS is a Java SE framework to secure resources at the class level. You use this for limiting what code that you downloaded (like Applets) can do on your computer.

With Java EE the situation is reversed. You don't download unknown code for a single user (you on your computer), but unknown users log in to your code (that you run on a server).

Some confusion happens because a few servers use the term JAAS for the server specific implementation of what's lately called "identity stores" (the things that store users and roles like ldap).

But:

  • Only an embarrassing small part of JAAS is used (some types like LoginModule)
  • Servers that claim to use JAAS all do it in such different way that you only wonder why they bothered with it to begin with
  • By far not every server uses JAAS. Tomcat, Jetty, Resin, Liberty, and WebSphere don't use it at all.