incubator-projects mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roland Weber <>
Subject Re: high level design from wiki
Date Fri, 25 Jul 2008 07:48:17 GMT
Angela Cymbalak wrote:
> Can we just use jSecurity and let them deal with it? :-)

Hum. I was almost ready to send a long post with a
general drift of "no" when I had another look at the
jSecurity JavaDocs and found their "web" packages.

It seems that it is possible to configure jSecurity
as a servlet filter. You can specify all the auth stuff
that you would expect to find in web.xml, like protected
paths and basic or form-based authentication and so on.
Instead of using the container security infrastructure,
you'd be relying on jSecurity. In light of this,
my answer changes to:

If you want to leverage the security infrastructure
of the web container, plugging into JAAS is the way
to go. If you don't, you can go with jSecurity alone.

I'd be very cautious to bypass container security. In
a J2EE container (rather than a simple web container),
it reaches much further than just allowing access to
a web resource or not. There is identity propagation
when calling EJBs, vendor specific integration with
single sign-on solutions, and probably more.

While I was looking at several web and J2EE containers
to get a feel for what authentication options they
provide, we don't have to tackle the full complexity
for a prototype. We can just pick one web container
(Tomcat or Geronimo) and implement the JAAS modules
for that. My idea is to plug some modules into the
JAAS authentication that populate the Subject with
one or two principals of our own. The access manager
then just checks for the presence of these principals.
One princiapl to provide user identity, the other for
querying friend relationships, that's what I'm heading
for at the moment. We'd have container specific login
modules and setup, but both the application and the
backend remain container agnostic. A standalone app
would have to perform an explicit JAAS login, but the
backend still doesn't care. If the principals are in
the Subject, it doesn't matter where they came from.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message