2

If this is one of the best ways to authenticate a user in Java EE 6.

Are there any good reasons to use JAAS in authentication/user login? Talking about package:

javax.security.auth

JAAS application to a simple webapp isn't trivial so that's why I'm asking. Here is an example.

It might be needed for authorization anyways.

Community
  • 1
  • 1
jacktrades
  • 7,224
  • 13
  • 56
  • 83

1 Answers1

4

If you're going to rely on the container to enforce authorization through the use of @RolesAllowed annotations, then the answer is yes, you will need JAAS.

As to whether it is complex or not, it really depends on the LoginModule implementation that you'll be using. Containers do come with LoginModule implementations out of the box, especially to authenticate against identity stores like files, LDAP servers or databases. If that is all you require, you could be using those instead of wiring up your own implementation.

If you really want to write a LoginModule like Antonio Goncalves has done, you'll need to understand the role of a LoginModule and JAAS. His module uses the CustomerService built into his app during the authentication process. The module simply looks up the CustomerService bean through the CDI BeanManager and delegates all authentication requests to the findCustomer(username, password) method. A LoginException is thrown if no customer is found for the provided credentials.

Vineet Reynolds
  • 76,006
  • 17
  • 150
  • 174
  • Is PicketBox out of the box LoginModule implementation of Jboss? – jacktrades Nov 15 '12 at 16:47
  • 2
    @jacktrades Picketbox is available as a module in JBoss AS7 (look under JBOSS_HOME/modules/org/picketbox). If you're writing a custom security module, [this](https://community.jboss.org/wiki/JBossAS7SecurityCustomLoginModules) would help. But, if you're looking for standard modules out of the box in AS7, [this](https://community.jboss.org/wiki/JBossAS7SecurityDomainModel#Security_Domains) is a good reference. The standard login modules in AS7 are provided by the `org.picketbox` JBoss module. – Vineet Reynolds Nov 15 '12 at 17:08
  • 2
    >`to enforce authorization through the use of @RolesAllowed annotations, then the answer is yes, you will need JAAS.` This is not entirely true. Actually, its not true at all ;) Nothing in Java EE, absolutely nothing, requires the use of JAAS. `@RolesAllowed` is a commons annotation that currently only EJB gives meaning. How you authenticate with EJB is either left to the container, which absolutely doesn't have to use JAAS, or authentication propagates from SOAP or Servlet, which in standard Java EE can use JASPIC, which doesn't have to use JAAS either. – Arjan Tijms Jan 14 '16 at 23:06
  • 2
    >`Containers do come with LoginModule implementations out of the box` - Again this is not entirely true. A few containers like GlassFish and JBoss have a proprietary authentication mechanism that builds on JAAS types, but uses `LoginModule` in a highly specific way, up to the point that one can ask why that type is even uses in the first place. Other servers like Liberty or servlet containers like Tomcat don't use JAAS at all (not even weakly) but have "identity stores" that are based on a totally different type. – Arjan Tijms Jan 14 '16 at 23:10
  • 2
    In general it's a very common mistake to think that JAAS is some standard technology in Java EE. Unfortunately it's anything but. See http://java.sys-con.com/node/1002315 and http://arjan-tijms.omnifaces.org/2015/10/how-servlet-containers-all-implement.html and http://arjan-tijms.omnifaces.org/2014/02/jaas-in-java-ee-is-not-universal.html – Arjan Tijms Jan 14 '16 at 23:13