JAAS and J2EE authorization combination

Similar Messages

• Conceptual help : JAAS and J2EE

  Hey guys.
  I really need some conceptual help. I have been doing a bunch of reading
  on JAAS but I am missing a couple key concepts and I have a whole wad of questions.
  First let me tell you my end goal: I want my J2EE client application to be able to connect to the app server and send/receive messages in a JMS queue that has access controls on it. This client will not run in the same VM as the app server and often not on the same machine.
  I have it now so that I can connect and send and receive messages from a queue that allows default authorization.
  Question 1 : When I create an InitialContext with JNDI, there are some security properties you can set to specify a username and password. From my reading it is my impression that this is the "old" way. Is that true?
  Question 2 : When you create a LoginContext with JAAS outside of the application server what will it authenticate against? How can I make it authenticate against the same source as the app server?
  Question 3 : So after I create an LoginContext and have authenticated, how does the server know that I was authenticated? There really isn't a way to pass the LoginContext along to the server is there? and how would it associate it with me?
  Any help is appreciated.
  Regards,
  David B.
  [email protected]

  I think I can help you out with Q's 2 & 3
  When you authenticate with JAAS, there are a couple of things that happen. First, you're probably going to have to write your own LoginModule. This is because unless you want to handle ALL security programmatically (i.e. programmatically handle authentication/authorization on the server receiving the messages) you have to use proprietary server APIs. This is at least my experience with WebLogic. Second, in the LoginModule, you have to call weblogic.authenticate()... or something like that. This method requires a security realm within the server such that it can authenticate the user and set the appropriate AccessControlContext - which allows you to use declarative security in the EJB/web tier.
  If you choose not to utilize a security realm in the server (really, JAAS should be a replacement to a realm, not an addendum) every object that you wish to authenticate/authorize must be done so programmatically. In my extensive research, I've found that JAAS does not justify complete replacement of declarative security (at least for my project requirements). It can enhance declarative security and provide fine-grained authorization. However, the pluggable authentication did not provide us any benefit, portability, or extensibility as it just added additional development/testing.
  I have a topic below yours inquiring to user experience in this area. I've read a lot of JAAS posts (most of them don't have replies) and the whole concept seems to be a big question mark. What I have determined though, is that JAAS was never meant to be utilized WITHIN the server. Instead, it was intended as a means for thick clients to authenticate/authorize against a server.
  If I am wrong on any of this, someone please correct me!!

• How to do JAAS and J2EE Deployment Descriptor ACL : Please help

  I am trying to develop a Single sign on application using EJB's, JAAS,
  ACL, struts and JSP to Log in with a form authenticate (using
  j_security_check to hook into the web.xml security) then pull a user
  from a database and use the roles defined there for authorization in
  the rest of the system?
  The examples on the web are from java clients to RMI, they also sit
  alone. They dont say how to hook them into weblogic. They say to use
  JAAS but they have just JAAS examples! No hooking of it into an EJB,
  servlet, etc! They also dont show how to hook that code into web
  server to use it as your security module!
  What Settings/configuration I need to make in the web server for JAAS
  to work. How the logic proceeds to authorization after form is
  submitted using j_security_check. and to further logic in the
  application. How is it then integrated with the Struts action forms.
  Help, I'm at a loss. They recommend using JAAS but their documentation
  and examples do not explain how. We have a complex real world product
  and need examples of
  the same. Can somebody provide me a working real-life example which
  really work and give me some pointers to proceeds that will be really
  helpful.
  Thanks in advance for the help.

  I am trying to develop a Single sign on application using EJB's, JAAS,
  ACL, struts and JSP to Log in with a form authenticate (using
  j_security_check to hook into the web.xml security) then pull a user
  from a database and use the roles defined there for authorization in
  the rest of the system?
  The examples on the web are from java clients to RMI, they also sit
  alone. They dont say how to hook them into weblogic. They say to use
  JAAS but they have just JAAS examples! No hooking of it into an EJB,
  servlet, etc! They also dont show how to hook that code into web
  server to use it as your security module!
  What Settings/configuration I need to make in the web server for JAAS
  to work. How the logic proceeds to authorization after form is
  submitted using j_security_check. and to further logic in the
  application. How is it then integrated with the Struts action forms.
  Help, I'm at a loss. They recommend using JAAS but their documentation
  and examples do not explain how. We have a complex real world product
  and need examples of
  the same. Can somebody provide me a working real-life example which
  really work and give me some pointers to proceeds that will be really
  helpful.
  Thanks in advance for the help.

• How to do JAAS and J2EE Deployment Descriptor ACL in WLS

  The examples on this website and shipped with WLS stink. Does there exist a GOOD
  example of how to
  Log in with a form
  authenticate (I guess using j_security_check to hook into the web.xml security)
  then pull a user from a database and use the roles defined there for authorization
  in the rest of the system?
  The weblogic examples are from java clients to RMI (ya, thats handy). They also
  sit alone. They dont say how to hook them into weblogic. They say to use JAAS
  but they have just JAAS examples! No hooking of it into an EJB, servlet, etc!
  They also dont show how to hook that code into WLS to use it as your security
  module!
  Help, I'm at a loss.
  They recommend using JAAS but their documentation and examples of doing so suck
  or are non existant. We have a complex real world product and need examples of
  the same. Stupid, stand alone examples that teach nothing do no help.
  frustrated at BEA for their poor documentation and support,
  Mike

  Also, I use struts....
  In struts you have to extend the Action class which then calls the perform()
  method on your servlet.
  So to call an EJB I have to have my servlet implement PrivilegedAction?
  If so, then this wants a run() method. Struts calls perform so that means
  I'm going to have to make another class to call from my servlet with a run
  method()? Or I'm going to have my servlet implement PrivledgedAction and
  call Security.runAs()?
  What if I just want to call the EJB from my servlet and put my security
  credentials in the JNDI lookup? I want the container to use the roles of the
  user in the JNDI lookup to authorize methods based on the deployment
  descriptors.
  thanks,
  Mike
  "Vimala Ranganathan" <[email protected]> wrote in message
  news:[email protected]...
  Hi Micheal,
  Attached is an exmaple of JAAS login and invoking an EJB.
  Let me know if this turns out to be useful.
  Regarding the form based authentication, Could you be more clear on whatissue you are
  facing?
  Just as note, when you use form based login, WLS would authenticate theuser against
  the realm
  WLS is setup for, which could be a file Realm, or a RDBMS realm (in whichcase users
  and groups are from database)
  Roles cannot be defined at the database level. This needs to be atapplication level
  which you can define in web.xml or
  console(in 7.0)
  If you need any specific help or more information please let me know.
  Vimala
  Michael Lee wrote:
  The examples on this website and shipped with WLS stink. Does there
  exist a GOOD
  example of how to
  Log in with a form
  authenticate (I guess using j_security_check to hook into the web.xmlsecurity)
  then pull a user from a database and use the roles defined there forauthorization
  in the rest of the system?
  The weblogic examples are from java clients to RMI (ya, thats handy).They also
  sit alone. They dont say how to hook them into weblogic. They say to useJAAS
  but they have just JAAS examples! No hooking of it into an EJB, servlet,etc!
  They also dont show how to hook that code into WLS to use it as yoursecurity
  module!
  Help, I'm at a loss.
  They recommend using JAAS but their documentation and examples of doingso suck
  or are non existant. We have a complex real world product and needexamples of
  the same. Stupid, stand alone examples that teach nothing do no help.
  frustrated at BEA for their poor documentation and support,
  Mike

• JAAS and J2EE SDK -- please help!

  Hi,
  I'd like to know if it is possible to use customized LoginModule classes in the J2EE SDK reference impl. 1.3
  If so what I can't understand is the following:
  if I use the form-based auth. mechanism in my web app. how can I specify which login module to use? I mean I know JAAS needs an entry in a configuration file such as
  mylogin{
    MyLoginModule required debug=false;
  };but my question is in what file should I add it? clientlogin.config, login.config or serverlogin.config?
  And much more important question is: how can I then specify that I need to use the "mylogin" entry?
  I don't know how the JSecurityCheck servlet work, is there any document where I can find the source code of it?
  Please can anyone help me?
  Thanks in advance.

  I managed to get it working in tomcat 4.0 if you create a config file with the details you've specified called login.config you then need to pass it as a parameter when you start your servlet engine
  i.e. -Djava.security.auth.login.conf=login.config

• Authentication & Authorization with SSO, JAAS and Database Tables mix

  Hi,
  I'm looking for how manage Authentication & Authorization in a J2EE ADF+Struts+JSP application.
  I'm interested in use SSO for authentication (I just did it programatically & dynamically already), and now I would like to could define authorization using database tables with users, groups, profiles, individual permissions, ..., (maitanined dynamically by web application admin) throught JAZN (JAAS or however is said) but not statically defining roles, groups, users, ... in jazn xml files.
  I saw that exists the possibility to create a custom DataSourceUserManager class to manage all this, and this gave me the idea that this could be possible to do (I was thinking in make a custom Authorization API over my application tables, without JAZN) but what is better that use and extended and consolidated aprox like JAZN.
  Anybody could tell me if my idea could be possible, and realizable, and maybe give me some orientation to build this approach.
  A lot of thanks in advanced.
  And sorry, excuse my so bad english.
  See you.

  Marcel,
  Originally the idea was to create a post to only explain how to do authentication using a Servlet filter. However,
  I have recently added code to the JHeadstart runtime and generators to enable both JAAS and 'Custom' authentication AND authorization in generated applications. Therefore, this post will be made after we have released the next patch release, as it will depend on these code changes.
  We currently plan to have the patch release available sometime in the second half of May.
  Kind regards,
  Peter Ebell
  JHeadstart Team

• Possible to combine Value and Hierarchy Authorizations?

  Hello Experts!
  Could anyone please tell me something about the interaction between value and hierarchy authorizations for the same info object?
  I created an authorization for an info object which makes use of both in some queries. But if you activate a hierarchy in query designer, the value authorizations seem not to work anymore. Instead the hierarchy authorizations restrict the analysis result. I get datasets in the result without having the corresponding value authorizations.
  Is there a way to ONLY use value authorizations which also work if you activate a hierarchy on an info object???
  Thanks in advance.....
  Bye,
  Joerg

  No you can't. GRE is only designed to carry routing protocols and multicast traffic over VPNs.
  It is also bad design practise to design a network that carry's L2 vlan's over a WAN or internet link.
  You have to ask yourself why you would want to carry VLANs over VPNs?
  Hope this helps.

• What's differences between jaas and jacc?

  lately i saw a new java scurity released on http://java.sun.com/j2ee/javaacc/; it seems like similar to JAAS (http://java.sun.com/products/jaas/); though, reportedly, jacc concerned more detail in authrization, however, there's autherization api been included as i know. is there anyone be able to tell me what's differences between jaas and jacc? or where there's resource or article exaplained detail about this issue?
  i appreciate any suggestions.
  thank you very much,

  From what I saw, the JACC specifically deals with what is currently called Container Managed Security. JAAS is something that would be used on top of JACC.
  See also:
  http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security11.html
  JACC contracts provide the following benefits:
  - JACC moves security administration and decision-making responsibility from the container to the security providers.
  - JACC enables the use of a common policy across different security systems.
  - J2EE system integrators can integrate containers with existing authorization policy infrastructure
  re Jaap

• Difference between J2SE and J2EE...

  Hi all. I was wondering what the difference between J2SE and J2EE were. I mean in the code structure. Are the packages the same, like Swing, IO, things like that. I'm a bit of a beginner in Java, only been messing around with it for about 6 months now kind of in my spare time, and I know I'm in now way ready for J2EE, but it's something I think I'd like to maybe look into. I know it's for Enterprise Applications, much bigger scale than I'm used to, but fundamentally, how is it different? Different coding conventions? New packages not in J2SE? I hope what I want is coming across okay. Thanks for all the input.
  James

  J2EE defines a large number of specifications, in addition to J2SE. Examples are the Servlet, JSP, JMS, and EJB specifications. Most of those specifications are designed to have implementations running inside an Application Server. There are free implementations available such as JBoss (combined with for example Tomcat), and I think youre best bet to learn is to download one of those and go from there. Servlets and JSP are a good beginning, and then maybe move on to EJB and the rest.
  Br - J

• JAAS and JBOSS

  I'm trying to use JAAS to log in a user on a JBOSS app, but am running into a problem. I'm able to successfully authenticate the user, and retrieve a Subject from my LoginContext. However, once that request is done (i.e. the browser displays the "log in complete" page), the application seems to forget that the user was logged in. How does JAAS and JBOSS keep track of the logged in user? Is this done by keeping a singleton of LoginContext around in some scope? Right now I'm creating a new instance of LoginContext, and using it to load a new instance of my CallbackHandler. Note, when I used JBOSS default form based authentication, it kept the user logged in. However, I can't use their default auth because I have some custom things I need to do.
  Thanks in advance for any help you provide.

  Hi,
  I tested this on OC4J for you and here - after setting jbo.security.enforce to Must, the user principal name and the roles are displayed.
  So there are three possibilities why you don't see things working
  - JBoss doesn't add the role principals to the Subject so they become available in the session
  - You attempt accessing this information in a prepareSession() override without enforcing authentication to happen for the root page - URL pattern = /
  - ADF BC security doesn't recognize the custom role principal
  After briefly reviewing the security implementation code, it seems that ADF BC security is dependent on Oracle JAZN for authorization.
  Frank

• BW BEX Queries and Analysis Authorizations

  Hello....
  Have an opportunity with BW BEX queries and Analysis Authorization...would like to see if anyone has had the same experience and if so is there a answer....
  1) given a query....
  2) given a analysis authorization with a info-object that has intervals defined to be both single values and ranged values
  the following happens...
  after the query is fired the starter screen appears...the info-object in question appears with the defined single values only....if....the window is opened....again only the single values appear...the range values do not appear...once the query is executed the only results given are those for the single values...
  also if you re-fire the query and manually enter a valid value for the info-object that falls with-in any of the range values no result is given...even if there is data for it....the reponse given is no data found....
  NOW...if the single values, for the given info-object, are removed from the Analysis Authoriization then the range values appear and work....
  Is this a problem within in the query...or...is this a "feature" of the query...and thus must be "lived" with...
  Terry
  PS...this problem currently only happens if the window for the info-object allows for multi-selection....this problem does not occurr when the window only allows for one selection...

  Hi,
  This is a known problem with analysis authorization and multi selection IO selection criteria.
  When you define the analysis authorization with ranges and when you try to enter single values on the selection critera of the query, then the system shows zero data.
  You can run the query without entering any selection values for the IO in question only.
  I have tried several combinations and still encountering the same issue.
  Ravi

• Material and chapter id combination in PO

  Hi,
  While creation of PO system will give a warning or error message that the partilcular material does not have material and chapter id combination in J1ID.
  is it possible if yes how to set this?
  Intention is Buyer should not release the PO, if material does not have any chapter ID combination.
  Regards
  sapman man

  Hello.
  We are maintainted the tax code in PO.
  Buyer has no authorization to maintain the J1ID. But he should know in creation PO, for this material chapter ID is not mainatined (Through error message or warning message). Then he will contact the excise person to maintain the chapter id.
  sapman man

• What is their difference betwwen  Sun ONE Application Server  and J2EE serv

  Sun ONE Application Server is Sun implementation of J2EE server.
  But it seems even no Sun ONE Application Server, use J2EE SDK command
  j2ee -verbose
  we still can launch an Application Server that support EJB, JSP....
  what is their difference betwwen Sun ONE Application Server and J2EE server provided by J2EE SDK ?
  Thanks,

  Sun ONE generally refers to the Sun ONE Application Server version 7.x. This is a J2EE 1.3 compliant application server from Sun. Sun also released a Reference Implementation version (RI) as a requirement of the J2ee 1.3 spec. This is the J2EE server you are refering too. The Sun ONE Application Server 7 is a more robust production ready App Server.
  Going forward, Sun combined the 2 seperate groups to include just 1 release. The J2EE 1.4 Reference Implementation is the Sun Java System Application Server Platform Edition version 8. SJS AS 8 PE is both free and production ready. Other version will include High Availability, Managing and Monitoring features.
  -Jeff

• Javadoc and J2EE

  Hi everyone. I am a noob when it comes to developing on J2EE, javadoc, etc.
  I am interested in trying to utilize Javadoc for my projects. In Eclipse I create a web projects and use a combination of servlets, jsp, html, js, and jquery. When publishing my code, I export the EAR file and upload that to an instance in Oracle Weblogic.
  Unfortunately I cannot run javadoc from my local machine. I need to run it on my server.  When I run javadoc on the EAR files I get messages like this.
  Loading source files for package testEAR.ear...
  javadoc: warning - No source files for package testEAR.ear
  Constructing Javadoc information...
  javadoc: warning - No source files for package testEAR.ear
  javadoc: error - No public or protected classes found to document.
  1 error
  2 warnings
  I exported the EAR file with the source code from Eclipse.
  Frankly I am not sure really what I am doing. I couldn't really find anything on google about running javadoc from the EAR files.
  Is there a tutorial or something that can tell me how to do what I want?  Am I even approaching this correctly?
  Thanks

  > I cannot run javadoc from my local machine
  Why not?
  >  I need to run it on my server
  You need to run it when you build your application.

• J2SE and J2EE Which with what ?

  I am running Windows NT 4.0 server, with SP6a & Windows NT 4.0 work station, with SP6a. On reading the various combinations of J2Se and J2EE, which do I need to match. Also I am using ant 1.5.3 and looking at some CORBA 3 work using JacORB 1.4.1. I have been using J2SDK 1.4.1_02 for general jave work.
  From what I have been reading it looks as if I need J2SE 1.3.1_02 with J2EE 1.3.1.
  What is the real combinations of J2SE and J2EE needed for such a asystem ?
  Also at present I do not particularly wish to move to a Win2000 Server/workstation combintion as yet.
  Thanks
  Omegaall

  You may now download J2EE 1.4 which will be compatible with your existing installation of J2SE 1.4.1_02.
  However, J2EE consists of the application server and additional tools. They are not required, nor are they recommended for heavy duty enterprise work; J2EE is simply a basic "reference" platform for you to get your feet wet on.
  Other alternatives do exist, and if you've tracked down Ant, you probably already know about Tomcat, JBoss, WebSphere and a number of commercial engines. All of these packages essentially take J2EE and extend them further (or are faster, or are more reliable, etc etc).
  If you have been asked to develop COBRA objects - as opposed to, and I stress this, as opposed to - merely being interested in the technology, then I strongly strongly strongly suggest you find out what your customer is using and set up a scheme similar to theirs. By developing to the same platform, you can save yourself a lot of deployment and packaging headaches, and essentially develop the objects "the right way" for that system.