I've been wracking my brain for some time now trying to get JAAS (Java Authentication and Authorization Service) working with JSPs and Servlets on iWS 4.1. I've successfully got the authentication piece in place but I can't seem to get the authorization piece to work. I end up with an all or nothing outcome. Either an authenticated user is authorized for everything or nothing.
A general question I have is, "Has anyone done this?" A more direct question deals with servlets and the SecurityManager. Whenever I attempt to get the SecurityManager in a servlet, I get null back (even if I pass the -Djava.security.manager parameter to the JVM through the iWS admin settings.) Do servlets operate without a SecurityManager? I seem to remember reading something that said they operated in a sandbox similar to an applet.
If anyone has any answers or ideas concerning any of this, I would really appreciate to hear what they are.
By way of background, I've been attempting essentially the same thing, only with JRun 3 as the app server. From what I understand all servlets run within the JVM started by the servlet container (iWS in your case, JRun in mine), and so a servlet will operate with whatever security options are passed in when the JVM starts. The fact that you do not see this could indicate one of two things:
1. iWS is not applying your -Djava.security.manager startup option, or
2. iWS is installing it's own security manager (possibly in some startup class) by calling System.setSecurityManager()
In my case, I had no problem getting JRun to start the JVM with a security manager (-Djava.security.manager). However, because JRun (by default) would load servlets with it's own class loader the CodeBase was not being initialized (it was always null). The JRun class loader incorrectly subclassed ClassLoader directly rather than a concrete implementation which sets all the security properties automatically, such as URLClassLoader. In the end I had to play around with the JRun configuration so that it would not load servlets with it's own class loader. Once I was able to do this security checks were performed as expected.
Thanks for the tips. I haven't looked at the class loader option. I'll try that.
I am currently trying to build the JAAS Authentication for the company's B2B project.
Is it possible for you to send your Authentication sample to me?
JosephJou at aol dot com