JAAS or regular J2EE Security?

Hi, can some offer me some examples of why I should prefer JAAS (and vice versa) over J2EE security via constraints and roles in web.xml? I'm just not sure which to use...
Thanks...

hi,
you should have a look towards jGuard to use JAAS in j2ee in an easy way:
homepage:
http://jguard.sourceforge.net/
sourceforge page:
http://sourceforge.net/projects/jguard
it hides the JAAS complexity , and enable dynamic configuration, and great flexibility!
sincerly yours,
Charles(jguard team).

Similar Messages

  • Custom Policy vs. J2EE Security

    Hi there, Java Security architecture gurus,
    I am currently trying to find the best architecture for the new security framework for our company's application. The system requires instance based security. ACLs are stored in a database. JAAS's authentication is just fine, but its file based authorization is not sufficient for our needs. Access rights change during runtime and they should not be refreshed that inefficient way with Policy.refresh().
    The solution I would like to establish should cope with changing environments without the need to change the code that is using security checks. E.g. the app should be able to run as a stand-alone application or within J2EE application servers or servlet engines.
    I have looked at the Java 2 Security API and found out that implementing a customized version of the JAAS Policy class can be one approach. A good benefit is the tight integration with the Java Security framework and that it not necessary to reimplement things like the AccessController and privileged actions.
    Now, I have the following questions:
    - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
    - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
    The alternative approach would probably be J2EE security with the cost of restricting the app to the J2EE environment. To me it seems to be impossible to implement instance based security with role based descriptive J2EE security. With programatic EJB security, I would need to make isPrincipalInRole() completely dynamic to support it.
    I looked through the forum for quite a while without success but if you already discussed this topic I would really appreciate a pointer.
    Thanks,
    Christoph

    Chris,
    There is a very good article from IBM that implements the same thing you are trying to implement i.e. instance base security and also custom Policy(u may need this).
    http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442
    Now, I have the following questions:
    - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
    Custom policy is required primarily if you are going away from the default policy format that sun recommends. If you want to read your permissions from a database you may need to implement a custom Policy class.
    - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
    This is recommended by Sun. You may have to delegate the Permission checks that you know you cannot handle to default policy class.
    In your CustomPolicy.java getPermissions() method, the following code will code to the end of the function
    // If the permission is not found here then delegate it
    // to the standard java Policy class instance.
    java.security.Policy policy = java.security.Policy.getPolicy();
    return policy.getPermissions(codeSource);
    Hope this helps.

  • How to find solution for avoiding WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product

    HI All,
    We are using Oc4j version 10g 10.1.3 , and while starting conatiner  getting below warning , let me know if anyone have solution for this,.
    14/01/10 01:01:29 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product!
    Please take the appropriate actions to migrate to an alternative strategy! **********
    2014-01-10 01:01:29.833 WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release
    of this product!

    I just checked my BIOS and my current setting is set at IDE although it also mentions that the default should be AHCI. Currently I have a dual boot of Windows 7 (need it for Tax software) and Arch
    So I guess, when I get the new HDD, I will first set it to AHCI and then install the OSes on it. See if NCQ helps any, and if not I will turn it back and re-install (if I have to). I am planning to have Windows only in virtualbox in the new drive.
    Anyhoo, while I was in the BIOS I found two things which I had questions about :
    1) Under Onboard Devices --> Integrated NIC , my setting is currently set at "On w/PXE" and it says the default should be just "On". Would it be ok to change it back to On since its a single machine and its not booting an OS on any server. I just don't want to have to re-install anything now since I will be doing that in the new HDD.
    2) How would I know whether my BIOS would support a 64 bit OS in Virtualbox? I checked some setting under Virtualization, but they weren't very clear.
    I will edit this post and let you know exactly what settings were present under the Virtualization sub-section.

  • SOAP and J2EE security

    We have deployed several SOAP services (Apache SOAP) on a WLS6.1
    server. Since there are more and more services are being deployed
    people are getting worried about security. I was wondering what the
    best solution was to to authentication and authorization on EJB and
    method level for SOAP clients ? I was thinking about the following
    solution: use the standard J2EE security by defining security
    constrainst in the ejb-jar.xml file. Therefor every client needs to
    provide credentials to use the EJB's (this should work for both
    RMI/IIOP and SOAP clients).
    What are your ideas and opinions about this solution ?
    If you post a reply please CC to [email protected]

    Hi,
    Let me know if you find answer of your question.
    thanks

  • Struts/servlet page flow problem due to j2ee security

    Whe I type url such as http://localhost:7777/myapp/action.do, I want to see the execution result page from this action. However the result page will always be index.jsp because j2ee security which I have a loginaction.do and its result page is index.jsp. How can I have overcome this problem.
    Thanks,

    To give more details about the problem I have, user likes to put a URL in the browser, then press enter. User likes to see the running results. However, user is not able to see the results because j2ee security requires user log in. After sucessful login, user is going to see the index page. My question is how user be able to view his result page after login.
    cheers.

  • Using dynamic groups for j2ee security

    Hi all,
    I have my realm setup in server.xml and my standard and sun-specific deployment descriptors setup for j2ee security.
    Everything seems to work fine for groups defined via uniquemember attributes (all users are specified), but I'm having trouble with dynamic groups (defined with the memberurl attribute)
    How do I configure my realm in my server.xml to get this working?

    Hi,
    I got an official answer from SUN.
    "Dynamic Groups" are not (longer) supported with SJS AS 7!
    It will probably be supported with SJS AS 8 SE.
    If you have a iPlanet 6.5 application that is running with dynamic groups, just wait a little bit before you migrate.

  • J2ee Security methods in JSF

    Is it possible to bind to J2ee Security methods in JSF pages, like request.getUserPrincipal() or request.isUserInRole("rolename)?

    Hi,
    actually you can use EL if you create a method in a managed bean to check for a specific role membership. Reference the method - which returns true or false - from EL. Note that EL cannot have arguments and for this reason you cannot directly pass in role names as argumens
    Frank

  • J2ee security and page flow problem

    To give more details about the problem I have, user likes to put a URL in the browser, then press enter. User likes to see the running results. However, user is not able to see the results because j2ee security requires user log in. After sucessful login, user is going to see the index page. My question is how user be able to view his result page after login.
    cheers.

    In the future, please post JSP/Servlet questions in the appropriate forum: http://forum.java.sun.com/category.jspa?categoryID=20
    This is pretty simple to do:
    1) set up a Filter that applies to a specific url pattern, such as " /protected/* " so that the Filter is invoked when resources within the "protected/" path get accessed
    2) in the Filter code, store the user's desired path in the session scope (let's call it "loginRedirectFrom") and redirect the user to the login screen.
    3) in your login servlet/jsp, after the user has been verified, redirect to the url you stored in "loginRedirectForm".

  • OID Dynamic Groups and J2EE security roles

    Hi
    I've searched the forums but can't get a definite answer. Is it possible to use OID dynamic groups and map them to J2EE security roles? I can't find anything that says specificially not but I can't seem to get it to work.
    Thanks
    Adam

    Hi,
    Let me know if you find answer of your question.
    thanks

  • Authorization check for caller assignment to J2EE security role

    Dears experts, in the default.trc logs in, my Enterprise Portal NW2004s, appear this error:
    #1.#0018714E4A14005E000027E1000057B8000441BB7EF2FC03#1198173451524#com.sap.engine.services.security.roles.SecurityRoleReference#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleReference#Guest#2126####46ce8210aefd11dcc68f0018714e4a14#Thread[Thread-59,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Audit/J2EE#Java###: Authorization check for caller assignment to J2EE security role [ : ] referencing J2EE security role [ : ].#5#ACCESS.ERROR#service.jms.default.authorization#administrators#SAP-J2EE-Engine#administrators#
    #1.#0018714E4A14005E000027E5000057B8000441BB7F8BDC21#1198173461543#com.sap.engine.services.security.roles.SecurityRoleImpl#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#2127####46ce8210aefd11dcc68f0018714e4a14#Thread[Thread-59,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Audit/J2EE#Java###: Authorization check for caller assignment to J2EE security role [ :
    Any idea about it?
    Thanks friends

    Hi Holger,
    Thanks for the tip, it could be the case, I just checked and we are on Patch 0 for JEECOR as you can see here below:
    sap.com/SAP-JEECOR   7.00 SP13 (1000.7.00.13.0.20070907082334)  20071028144036 
    sap.com/SAP-JEE          7.00 SP13 (1000.7.00.13.2.20071026143730)  20071203150628 
    Will inform some people internally to patch to atleast 3 to check if it still occures.
    Anyway, Thanks again..
    Benjamin Houttuin

  • Error :Authorization check for caller assignment to J2EE security role whil

    Hi Experts,
                 i m working as a portal resource .
    after the deployment of standered Sap e-rec package .
    i m getting some error. i have assigned the recruiter role to one test user.
    Now i m getting two issue:
    1)All the services are appearing in Detailed Navigation Pannel but not in Portal content area..
    2) I m able to see few iview for the test user but those are also in detailed navigation view.
       And few ivews are giving following error :
      i)Internal error
    ii)error 2011-12-19 07:59:57:315 ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
    /System/Security/Audit/J2EE com.sap.engine.services.security.roles.audit n/a EP-DEV-KRT Server 0 0_97989
    Full Message Text
    ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
    please suggest what can be  done or what is pending from my side.

    Prajakta2602 wrote:
    Hi Experts,
    >
    > the previous issue got solved..
    > it was due to servies pack miss match and applying notes
    > the Basis guy  checked the SLD logs and accordingly found that the base components J2EECORE and JTECHS required paching as per
    > notes 1445294 and 1175239 were applied.
    > now the issue is:
    >
    >
    >  After implemetation and  i assigning the standerd sap roles
    > 1)Recruiter Administrator
    > 2)Recruiter
    > to the test user .
    > but for few iview it is showing error as in
    > 1) you are not a authorized user
    > 2) internal error
    >
    > please help experts.
    >
    >  i m working on portal side have i to assign any role to that test user..
    >
    >
    > Thnaks & Regards,
    > Prajakta
    You can run a quick check using the below steps:
    1. Check in backend whether there is any authorisation errors... you may use transactions SU53 or ST22 for any ABAP errors
    2. Also check in NWA -> log viewer -> last 24 hours log for the particular user to see any java related issues.
    Regards,
    Mahesh

  • J2EE Security Provider Service in NWA on 7.10?

    Hi,
    In versions up to 7.0, there was a J2EE Security Provider Service which could be configured in Visual Administrator to control fine-grained security between deployed components on the system. I cannot find anything similar in NetWeaver Administrator in 7.1. Has this become obsolete or am I overlooking something?
    Thanks,
    Thorsten

    Hi,
    NWA -> Configuration Management -> security -> authentication
    here you can find the required policy configurations
    regards,
    Jozsef

  • J2EE security, OID and account lockout

    Hi!
    I have created a Webcenter application (in Jdev 10.1.3). I have added standard J2EE security to both the portlets and the Webcenter app, using form-based authentication. On the application server, I use the OID for authentication (without SSO).
    Now, when a user logs in, all works fine, but after a short period (maybe session timeout?) the OID account becomes locked.
    Has anyone seen this before? It is really troublesome.
    Jeroen van Veldhuizen

    Jeroen,
    you should try checking the OID logs at the time of the lockouts, it seems to me it is probably an OID setting or issue.
    Cheers,
    Mick.

  • ADF Mobile - Security. Serving custom, non-j2ee security policies.

    We are trying to achieve session management across our ADF Mobile app.
    We were hoping to use the ADF Mobile inbuilt security framework.
    However our Mobile App is simply a UI interface to a large Enterprise App which already has a custom security framework(entirely database based) in place.
    The enterprise app exposes RESTful interfaces(JAX-RS-Jersey) for functionality which the mobile app consumes.
    This question has broadly 2 parts to it.
    1. Does ADF Mobile inbuilt security work ONLY with J2ee container managed security realm service?
    2. Can ADF Mobile inbuilt security be made to work with a custom application security framework?
    Following are the challenges we face in dealing with the 2nd question,
    2a. We need to extricate the Username and Password from the request as sent by the ADF Mobile default login page
    2b. Based on the authenticated state(using custom security framework) assign Roles to the user and set the response.
    2c. In the Mobile app use the custom roles to drive UI.
    2d. One of the statements in the documentation says that irrespective of successful or failed login the Springboard will be visible. Can this be prevented?
    2e. Can we maintain session while achieving the last 4?
    Using the following JAX-RS annotations it has been impossible to retrieve any user credentials at our webservice end.
    @Context SecurityContext, @Context HttpServletRequest, @CookieParams,  @HeaderParam

    Hi,
    here's how you do it
    - application roles are defined in jazn-data.xml
    - Write a custom JAAS LoginModule that authenticates against the database
    - Create WLS authentication provider for your JAAS LoginModule and configure it in WLS
    - LoginModule returns principal for user and the user group memberships
    - User logs in via login.jspx
    - WLS authenticates user
    - Security context is updated with user and user roles
    Frank

  • WebLogic J2EE Security for Outside Apps

    We have a large client migrating to J2EE Web apps/services using WebLogic from
    Cold Fusion Web apps and TCL/TK client/server applications.
    We want to create a Single Sign On access to all apps. The J2EE Web apps can
    utilize WebLogics implementation of JAAS which nicely provides SSO. Can this
    impl be exposed to these Cold Fusion /client-server apps so we could provide a
    heterogensous SSO implementation? That is, is there in API we could call from
    say the Cold Fusion web app upon entry to go see if the user has current session
    in WebLogic? On the flip side, if the user first accesses the Cold Fusion web
    app before the WebLogic web app, is there an API call we could make from the Cold
    Fusion web app to create an authenticated user session in Weblogic, so that when
    the user then goes to the WebLogic web app, they are already logged in? That
    would be great if we could. I'm wondering...
    Thanks.

    It's likely you'll need some kind of perimeter authentication technique so users
    can move between webapps and not require login. You might consider posting your
    question the the weblogic.developer.interest.servlet newsgroup as well.
    One thing that may help you is a past post which gives some details on combining
    form and perimeter authentication via login form. The idea is to use a token which
    can be sent in the request that would login the user without requiring authentication
    but actually authenticate the user when the token is unavailable.
    http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=article&group=weblogic.developer.interest.security&item=11697&utag=
    -Craig
    "Sean Cohan" <[email protected]> wrote:
    >
    We have a large client migrating to J2EE Web apps/services using WebLogic
    from
    Cold Fusion Web apps and TCL/TK client/server applications.
    We want to create a Single Sign On access to all apps. The J2EE Web
    apps can
    utilize WebLogics implementation of JAAS which nicely provides SSO.
    Can this
    impl be exposed to these Cold Fusion /client-server apps so we could
    provide a
    heterogensous SSO implementation? That is, is there in API we could
    call from
    say the Cold Fusion web app upon entry to go see if the user has current
    session
    in WebLogic? On the flip side, if the user first accesses the Cold Fusion
    web
    app before the WebLogic web app, is there an API call we could make from
    the Cold
    Fusion web app to create an authenticated user session in Weblogic, so
    that when
    the user then goes to the WebLogic web app, they are already logged in?
    That
    would be great if we could. I'm wondering...
    Thanks.

Maybe you are looking for

  • Windows Updates won't install - Error 0x80072EFD

    Question  Windows Updates won’t install.  I’m receiving Error 0x80072EFD.  What can I do to solve this? Answer  This particular error means that your computer was not able to connect to the Internet when it tried to install updates.  First, check you

  • PSD button not working in ie10

    the rollover is working but the down click isnt switching the image. I am using the layered psd button and have check all images to make sure everything is right. It does work in preview thru muse and does work in preview view site in browser but not

  • Nokia c2-03 online video streaming problem ...:(

    Hello. I have purchased new nokia c2-03, and i thought the phone would b awesome as its a nokia product. But this phone disappointed me a lot. The phone has good features being a low cost phone. But the main problem is it can't stream online videos.

  • Interface with a sensor

    Hi, Can anyone tell me how to interface a rotation sensor attached to a roller coaster to get the no of rotations taken by coaster. thank u

  • Jump Query Question

    Hi I have one Sender Query which has data in the below format: Comp.code  Person.Resp   Dept   Reason.Code  Amount 2300          A          D001    R010          200 2300          A          D002    R020           50 2300          B          D001