Login/Register
Why should i use JAAS against hand-written security?
Asked Answered
Solved javasecurityjakarta-eejaas
C

2

14

I got hand-written security, simple servlet-filter which redirect not-authorized user to their login pages. Login controller redirect them to the requested URL after successfull authentication or their main page. This approach work fine, the only disadvantage, that I have to pass User object which is stored in the HttpSession through stacktrace to EJB beans.

Now I rewrote some code and use Spring-security as http based authentication. It is integrated automatically with Glassfish JAAS.

I don't need to pass User through stacktrace anymore, invocation sessionContext.getCallerPrincipal() is enough. But the principal object return me only userName, not userId, so i have to perform addition select if i need userId for example.

1) Is there anyway to extend Principal object, so it can store more properties ?

2) Why i should use JAAS or Spring Security or another security framework, why not just hand writen servlet filter ?

Cockalorum answered 21/4, 2011 at 14:18 Comment(0)
P
12

2) Using a standard security mechanism like JAAS has many advantages:

  1. You can easily change the way user authenticates solely by configuring your server - without need to change anything inside your code.

  2. You can be sure your security is up-to-date, supporting strongest algorithms, storing Principal in a secure manner and so on. Again just by staying up-to-date with your server, framework etc. Having a hand-written security module is prone to errors and to be outdated soon.

  3. You can leverage framework security - eg. web.xml security tags, EJB security annotations. Because JAAS is a standard way to authenticate, you can be sure adopting future technologies will be easier, because all serious technologies will support JAAS (Spring security etc.). If your software is planned to grow, you will definitely need a standard.

  4. It will save you time and effort. JAAS provides both authentication and authorization, neatly packed and configurable within minutes.

  5. I recommend futher reading on J2EE security or you can find more resources in OWASP guides.

Prittleprattle answered 22/4, 2011 at 11:32 Comment(2)
Writing your own implementation of a login module is more portable due to it not relying on additional server configurations. As long as you take into account that you need to then manage all security roles manually.Lawley
Also the JAAS model assumes that your security model is role-based. That may not be the case always. Security model can be purely permission-based (because definition of role can change tomorrow). I would use a simple servlet filter for page-level security and use CDI interceptors for method/class level security.Hsinking
M
0

1) I don't know if you can extend the class Principal. But note, in your LoginModule, before you finish the authentication calling the commit() (probably in your login() method), it is possible to add credentials in the Subject. For this, just add the object to one of the lists: Subject.getPrivateCredentials() or Subject.getPublicCredentials() (with no arguments). You can add many objects like your own class, a String, or whatever you want.

To retrieve the objects in your application, use the procedure detailed in my other answer.

import javax.security.jacc.PolicyContext;

Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
Mandolin answered 8/9, 2015 at 2:32 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.