I have been investigating ways to implement J2EE security and it appears to me that it is not very portable between app servers or servlet containers.
It seems that you can assign roles to directories, servlets or JSPs in web.xml and roles to EJB methods in ejb-jar.xml, but assigning a user to a role is very appserver/servlet container specific. Is this the case or am I missing something? If so, it seems like it is a major portability problem and forces you into a roll-your-own security scheme.
You are right, J2EE security is not really portable. Some parts are (those covered by the J2EE specs), some aren't.
The specs describe a role-based access control mechanism for EJBs and servlets and how the resource-to-role mapping is done (in the XML descriptors). The specs do not indicate how the mapping of roles to security principals (users and groups) is made, what are the APIs for EJB security (except for the two methods of EJBContext), how auditing is done, how access to other container resources is protected and so on. JAAS would aleviate some of the issues, but look closer at what and how JAAS is implemented by a given vendor.
Thank you for your response. It seems to me that this is a gaping hole in the J2EE spec! After all, isn't one of the biggest features of J2EE is its portability? So why, with the role-based deployment definitions in both the web (web.xml) and EJB (ejb-jar.xml) containers, was the user-role mapping not part of the spec?
My research seems to indicate that JAAS will be incorporated into J2EE eventually. Is there any indication when this will happen?
JAAS (1.0) is already a required piece in the J2EE 1.3 specs. Quoting from them: "All EJB containers and all web containers must support the use of the JAAS APIs as
specified in the Connector specification. All application client containers must support use of the JAAS APIs as specified in Chapter J2EE.9, “Application Clients.”"