I'm upgrading an existing website to use EJB. The old servlets call JDBC directly to get user info and authenticate user's login.
I noticed that EJB use JAAS as its authentication/authorization architecture. I wonder whether the JAAS is appropriate to me. Following is my requirements:
1. there are large amount of users in our site. so we store the user info in database or LDAP.
2. there are several types of users. each type of them is given different permissions(for example, free members can not upload images exceeds 50kb).
3. EJBs can be connected either from servlets or standalone java applications. both can authenticated consistently.
4. Administrators has higher permissions to manage the system.
5. Scalable and easy to add new permissions and new authentication methods.
should i use JAAS or develop my own API to authenticate/authorize users?
thank you.
-
I wonder whether the JAAS is appropriate or not (3 messages)
- Posted by: kong shi
- Posted on: April 15 2002 09:09 EDT
Threaded Messages (3)
- I wonder whether the JAAS is appropriate or not by Dain Sundstrom on April 15 2002 12:51 EDT
- I wonder whether the JAAS is appropriate or not by kong shi on April 16 2002 10:51 EDT
- I wonder whether the JAAS is appropriate or not by Ken Norcross on April 22 2002 12:09 EDT
-
I wonder whether the JAAS is appropriate or not[ Go to top ]
- Posted by: Dain Sundstrom
- Posted on: April 15 2002 12:51 EDT
- in response to kong shi
From what I understand JAAS is a pluggable layer for authentication and authorization, so you can use JAAS and write your own plugin. BTW, there is a LDAP plugin for JAAS. -
I wonder whether the JAAS is appropriate or not[ Go to top ]
- Posted by: kong shi
- Posted on: April 16 2002 10:51 EDT
- in response to Dain Sundstrom
Thank you for your reply.
I found it's quite easy to write a LoginModule. So that I can implement my own login method.
But in the provided JAAS examples, I noticed the authorization permissions are always read from a policy file (right?) I want to configure access controls dynamically (maybe save these informations in an access control table in database) Does this stops me from using JAAS authorization mechanism?
-
I wonder whether the JAAS is appropriate or not[ Go to top ]
- Posted by: Ken Norcross
- Posted on: April 22 2002 12:09 EDT
- in response to kong shi
If you are using EJB, you need to stay with the security architecture of the EJB server that you are using.
EJB does not use JAAS. There is no clear definition of the relationship between EJB security and JAAS.
I am only familiar with WebSphere, and in WebSphere JAAS plays no role at all in the EJB/Servlet space.