In simplest terms, can anyone explain to me the difference between JAAS, JACC and JASPIC? - McMap

About

In simplest terms, can anyone explain to me the difference between JAAS, JACC and JASPIC?

Asked 24/3, 2015 at 23:54 Answered 25/3, 2015 at 15:30

Solved jakarta-ee java-ee-6 jaas jaspic jacc

D

1

15

I'll be honest. I've been a developer for a quite some time now but its the first time I've heard of JACC ans JASPIC. I understand that they are standards used by authorization providers, but how exactly to they differ from JAAS? and when would we use one over the other?

I did some initial research, its not that I'm lazy to do it. Its just that reading articles on JACC and JASPIC kinda overwhelmed me a little bit and I need to learn about this in the short possible time because I need to implement this in one of my upcoming projects. Just looking for a jump start on my understanding on it.

Devotional answered 24/3, 2015 at 23:54 Comment(0)

W

28

JAAS is included with Java SE, and is mainly useful for Java SE. It's about code level security (do you trust the code).

It's not directly useful for Java EE, which is about user level security (do you trust the user).

Some Java EE servers can use something that is based on JAAS LoginModules for authentication, but this usage of JAAS is non-standard and is extremely shallow compared to what it does in Java SE. For some reason or the other, because of this people think that security in Java EE is called JAAS, but it's completely the other way around.

JASPIC is an extension point that Java EE 6+ servers have to create and plug-in additional authentication mechanisms. You can use this to create things like OAuth, OpenID etc mechanisms. JASPIC is about interaction with your user. It says nothing about getting user data from things like LDAP or a database. You can do that with your own code, or by calling a JAAS LoginModule. JASPIC does define how JAAS LoginModules can be connected to your custom mechanism in a more standard way. Too bad it's not 100% standard still, but better at least.

JACC is another extension point but for authorization mechanisms. You can use it to do authorization in a different way, or to just audit authorization. JACC also makes all security constraints that you defined in web.xml available to your code. You can use that to check beforehand if a user will have access to a page. Unlike JASPIC, JACC is very difficult to actually activate in your application. You need to mess with JVM arguments etc.

Woodenware answered 25/3, 2015 at 15:30 Comment(2)

Very much appreciated - that was straight to the point! I am using JBoss which comes with JACC out of the box - that should take of authorization. But what about authentication—should I still use JAAS LoginModules for authentication or is there something else? Thanks! – Perishable 11/8, 2016 at 7:8

@MatthewCachia A javax.security.auth.message.module.ServerAuthModule (SAM) is all you have to implement as far as portable authentication is concerned. If you also intend to integrate your SAM with JBoss in a portable fashion, however, you will additionally have to implement an AuthConfigProvider (plus a ServletContextInitializer serving as the former's registrant with the container-provided AuthConfigFactory), a ServerAuthConfig and a ServerAuthContext. For the prevalent use case of a single SAM protecting a single application, those are relatively painless to author. – Tralee 13/8, 2016 at 16:58

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.