I'm upgrading an existing website to use EJB. The old servlets call JDBC directly to get user info and authenticate user's login.
I noticed that EJB use JAAS as its authentication/authorization architecture. I wonder whether the JAAS is appropriate to me. Following is my requirements:
1. there are large amount of users in our site. so we store the user info in database or LDAP.
2. there are several types of users. each type of them is given different permissions(for example, free members can not upload images exceeds 50kb).
3. EJBs can be connected either from servlets or standalone java applications. both can authenticated consistently.
4. Administrators has higher permissions to manage the system.
5. Scalable and easy to add new permissions and new authentication methods.
should i use JAAS or develop my own API to authenticate/authorize users?
From what I understand JAAS is a pluggable layer for authentication and authorization, so you can use JAAS and write your own plugin. BTW, there is a LDAP plugin for JAAS.
Thank you for your reply.
I found it's quite easy to write a LoginModule. So that I can implement my own login method.
But in the provided JAAS examples, I noticed the authorization permissions are always read from a policy file (right?) I want to configure access controls dynamically (maybe save these informations in an access control table in database) Does this stops me from using JAAS authorization mechanism?
If you are using EJB, you need to stay with the security architecture of the EJB server that you are using.
EJB does not use JAAS. There is no clear definition of the relationship between EJB security and JAAS.
I am only familiar with WebSphere, and in WebSphere JAAS plays no role at all in the EJB/Servlet space.