I'm building a J2EE application using J2EE 1.3 (app server weblogic 7.1)
Now for security (Authentication and Authorization) of the application I'm planning to use JAAS.
In the process of understanding JAAS I found that the default implementation of the authorization component expects the authorization policy has to be specified in a file.
Now in this context my query is how safe is to use this file based authorization policy mapping. From my view point anyone can change this policy file to compromise with the security. Instead isn't it a better approach to put the authorization policy related rules in a database ?
Please give you view points.
Java really has two different security models: JAAS and the J2EE security model. J2EE security for servlets, JSP and EJB is done through their deployment descriptors, and makes no use of JAAS.
You will get much better support for J2EE security from your server then you will for JAAS. Among other things, the J2EE server will copy security data out of the deployment descriptors and store them in a more secure location (typically a database).
To comment on the above (J2EE security for servlets, JSP and EJB makes no use of JAAS), this is not true!
The J2EE specification does not specify what security mechanism to use, it leave the decision to the appserver vendor. JBoss IS implemented it using JAAS.