This post originated from an RSS feed registered with Java Buzz by Matt Raible. Original Post: Using JAAS with Tomcat Feed Title: Raible Designs ~ We Build Web Apps Feed URL: http://static.raibledesigns.com/500.html Feed Description: Opinions and tips on how to build web applications using Java. Currently using Hibernate, Struts, XHTML, CSS, Ant, JUnit and XDoclet. Latest Java Buzz Posts Latest Java Buzz Posts by Matt Raible Latest Posts From Raible Designs ~ We Build Web Apps

Although it is possible to use JAAS within Tomcat as an authentication mechanism (JAASRealm), the flexibility of the JAAS framework is lost once the user is authenticated. This is because the principals are used to denote the concepts of "user" and "role", and are no longer available in the security context in which the webapp is executed. The result of the authentication is available only through request.getRemoteUser() and request.isUserInRole().

This reduces the JAAS framework for authorization purposes to a simple user/role system that loses its connection with the Java Security Policy. This tutorial's purpose is to put a full-blown JAAS authorisation implementation in place, using a few tricks to deal with some of Tomcat's idiosyncrasies.

Personally, request.isUserInRole() usually does everything I need. If I need something more than that, it's usually pretty easy to add some custom logic. Of course, if I ever need anything super robust, I'll probably use the Acegi Security System for Spring.