General J2EE: Jaas Portability?? Help !
I have implemented a JAAS based authentication application on Sun's AppServer 8.
The problem however I face is that my solution is completely tied to the AppServer. I needed an LDAP authentication mechanisim, and I figured out that if i want container based authentication then create the realm and login moudles extending the Sun's AppServer classes. And that seems is the way to go for applications in the J2EE environment.
Is this a correct analysis of JAAS usage. I for example would like to use the JDK's JndiLoginModule provided but I'm not sure if that can be used in a web application..
Thanks.. I would really appreciate some input..
- Jaas Portability?? Help ! by Irakli Nadareishvili on May 24 2005 19:50 EDT
Could you clarify, a little bit, what exactly did you do? Your post does not, really, include a lot of details.
JAAS is absolutely portable. But when people talk about JAAS they usually mean classes in java.security.* and javax.security.auth.* packages.
Which Sun AppServer classes did you extend and why?
Well i'm creating a web application that will do container managed authentication using JDBC mechanisims. The idea was that I will use JaaS Login Modules, and the user can just plug in differen login modules (LDAP, JDBC, otherS) to do their authentication. Now if I am using Sun's App Server in order to create a JDBCLoginModule, I cant just extend the javax.security.aut.spi.LoginModule but I have to extend com.sun.enterprise.security.auth.PasswordLoginModule that comes with Sun's AppServer. You can check the documentation here:
So my question/concern is now that if i want to deoply this app on JBOSS for exampel I cant do that becoz i would need those container based classes in my class path.. What i've seen is that jboss has its own extension and tomcat has its own realms that u need to work with..
If you want your application to deploy on any J2EE server, you will need to bundle self-contained authentication implementations with your application.
Since JBoss is LGPL, legally you are allowed to extract appropriate source from their code and use it. The question is - how easy will it be to do the extraction.
You may be able to find some other open-source implementation, too.
As for DBLoginModule (using JDBC, Hibernate or whatever) - it should not be hard to write one yourself that will work with your database schema.
JAAS provides you the ability to plug-in different implementations and cleanly separate authentification implementation, even chain different methods into one process, but - not the actual implementation.
So, JAAS is portable but if your packaging will be - is a different question.
Thanks for your reply.. so in other words, it would be programatic login, i.e. the developer is responsible for handling all the authentication.. I was trying to implement container based authentication -- but i suppose if its container based then like u must need container specific classes i suppose..
so in essence i can have any implementation in the background but the way authentication is being handled by the app is uniform no matter what implmentation i use..
Something like that.
There are different kinds of programmers. Most probably, different JAAS login modules would be written as part of the "framework" in your application, so module programmers would not do it, but the framework programmer needs to bundle it into framework either by writing herself or using a pre-existing implementation.
That - if you want to make sure that your application works on all J2EE servers, because
1) Not all J2EE servers have all authentification types (DB, LDAP, etc) implemented.
2) Even for those that do - the implementation class names are different and you would have to indicate in your documentation which class should be indicated in the login-config.xml for each app server.