The Artima Developer Community
Sponsored Link

Java Community News
Integrating JAAS with J2EE

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
Frank Sommers

Posts: 2642
Nickname: fsommers
Registered: Jan, 2002

Integrating JAAS with J2EE Posted: Sep 14, 2006 10:49 AM
Reply to this message Reply
In a recent article, Denis Pilipchuk reviews the mismatch between JAAS authentication and J2EE, focusing especially on the difficulty of mapping J2EE roles to an authenticated JAAS Subject. The article also highlights some of the proposed solutions.

JAAS, the Java Authentication and Authorization Service, is the standard Java mechanism to authenticate users to an application (the authentication part), and then ensure that only authorized users access certain resources (the authorization part).

While JAAS is a well thought-out API, and is widely used, integrating JAAS's view of Java security into a J2EE application has been rather difficult. In a recent article, Using JAAS in Java EE and SOA Environments, Denis Pilipchuk points out that,

At the moment, there are three major sore spots in this integration (or lack thereof):

  • There is no binding defined for JAAS authentication for a Java EE Servlet authentication mechanism.
  • JAAS and EE rely on different representations of a user's identity.
  • Permission mapping, and therefore authorization, is not consistent between EE application layers.

Pilipchuk goes to discuss the mismatch between the JAAS and J2EE notions of an authenticated user, or subject:

One of the greatest integration problems lies in the different approaches to user representation in JAAS and Java EE worlds... This is where the integration never really took place, and which has been and still remains the greatest source of incompatibility...

Unfortunately, the relationship and conversion rules between these two different representations have not been specified in either direction. This means that, given a Subject, a Java EE container will use a vendor-proprietary algorithm for selecting one of its Principals to use in the EE API. And, given a Principal, there is no standard way to retrieve the associated Subject for it to use in the JAAS API.

The article also discusses the problems with using JAAS's authorization scheme in J2EE:

Directly related to the problems around Subject propagation is the user policy issue. If the same user may be associated with different Principal sets contained in multiple Subjects, depending on which part of the system you are looking at, imagine what havoc it wreaks for authorization policies...

The second authorization issue...has also been known and discussed for a number of years, but nothing has changed. First, after introducing JAAS into [the] J2SE security architecture, the doPrivileged() method of was not updated, which led to cutting off the current Subject in Subject.doAs() calls... Since J2EE places a requirement to propagate the current call Principal from servlets into EJBs, the runtime behavior is undefined.

In conclusion, the article points to JSRs 115 and 196 as solutions to this integration problem.

If you currently use JAAS in a J2EE application, what are your biggest challenges in integrating these frameworks?

Topic: Integrating JAAS with J2EE Previous Topic   Next Topic Topic: Ethan Nicholas on the Java Browser Edition

Sponsored Links


Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use