Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Applications and JAAS

Published byArabella O’Brien’ Modified over 6 years ago

Similar presentations

Presentation on theme: "Web Applications and JAAS"— Presentation transcript:

1 Web Applications and JAAS
Dan Moore Consultant Seurat Company July 11, 2002 November 23, 2018

2 Introduction Overview of Struts
Java Authentication and Authorization Service (JAAS) JAAS Authentication Integration with Struts Default JAAS Authorization Situations where JAAS is useful/not useful About my experience November 23, 2018

3 What do you want? How many are building web applications
Using Struts or other lightweight framework Using ATG Dynamo, Websphere or other heavy framework Heard of Struts Played with Struts Heard of JAAS Played with JAAS Questions please November 23, 2018

4 Motivation Authentication and Authorization are plumbing
Re-invent or re-learn the wheel Re-learn once or many times Concepts from bright people Future integration with app servers Resume November 23, 2018

5 Struts What is Struts Architecture Sample Struts-config.xml
Example application November 23, 2018

6 What is Struts Web application framework MVC (almost) Lightweight
Few services provided Open Source jakarta project Apache license November 23, 2018

7 Struts architecture November 23, 2018

8 Show Struts-config.xml
November 23, 2018

9 Demo Untouched Example Application
November 23, 2018

10 What is JAAS Interfaces and classes for standard authentication and authorization Lightweight & Pluggable Really two separate APIs Authentication Authorization Which depends on Authentication JDK 1.3.x supplemental jar and now part of 1.4 JDK November 23, 2018

11 Authentication Definitions Configuration Typical use
Integration with example application Code November 23, 2018

12 Definitions User Subject Principal Login module Login module set
November 23, 2018

13 Show Authentication Configuration File
November 23, 2018

14 Show Authentication Password File
November 23, 2018

15 Configuration of Authentication
Configuration file Tokens in configuration file Required/optional/sufficient/necessary Can replace class that reads this file Tagish Login Module File based GPL Could write your own, see resources JVM awareness 1.3 class loader issues System property: java.security.auth.login.config java.security file November 23, 2018

16 Typical Use Create LoginContext Login module set name Callbackhandler
Interact with User Try to login May repeat if need be If login successful, Subject is an attribute of LoginContext If login unsuccessful, exception thrown November 23, 2018

17 Integration of Authentication with Example application
Struts defers to adapter Converts exceptions to boolean Callbackhandler weirdness Struts caches Subject in session 377 bytes in size November 23, 2018

18 Show Struts calling Adapter and Adapter
November 23, 2018

19 Authorization Caveat Definitions Java security Configuration
Typical Use Integration with example application Code November 23, 2018

20 Caveat This is the default authorization scheme It has blemishes
Can plug in your own via java.security file, see resources November 23, 2018

21 Definitions Resource Permission Three components
Class, resource and action java.io.FilePermission “/tmp” “read” Basic permission/Permission Principals Security Manager November 23, 2018

22 Java security model How many are familiar?
Based on permissions and resources Code based Permissions granted to code based on a given location (jar, URL) Signer of code Permission stack Class A calls class B calls class C… JAAS extends to include Subject executing code November 23, 2018

23 Show Authorization Configuration File
November 23, 2018

24 Configuration of Authorization
In some respects, similar to authentication Configuration file Based on java security model. Subject must have every principal to access resource Wild cards possible But not null subjects Can replace class which reads this file Tell JVM where security configuration file lives java.security Multiple, unioned Command line: java.security.auth.policy November 23, 2018

25 Typical Use Install/get security manager
Before allowing access to resource, check with security manager All java classes that guard resources do this Subject.doAsPrivileged(subject, object wrapper of access, access context) November 23, 2018

26 Integration with example application
Treat URLs as resources Basic permission, but in real app would want real Permission Subclass ActionServlet Only resources ActionServlet controls are protected Alternative—servlet filters Call off to utility class Special handling of login page November 23, 2018

27 Show Struts calling Authorization Utility
November 23, 2018

28 Places to extend Authorization
Protect not only URLs but content as well taglib Increase configuration file scalability Permission class that “understands” URLs HTTP/HTTPS delineation Would love an Open Source jar Code emphasis not repairable November 23, 2018

29 Demo Modified Application
November 23, 2018

30 Conclusion On pluggability Situations where JAAS is a good fit
Situations where JAAS is not November 23, 2018

31 Pluggability Overused term 2 kinds of pluggability
Class which reads configuration Configuration file itself Login modules Permissions November 23, 2018

32 Where JAAS looks useful
You have different authentication systems that need to look the same Lightweight framework You have complex authentication systems Authorization is something you have time to rework November 23, 2018

33 Where JAAS should be avoided
Pre JDK 1.3 projects If there’s already a heavyweight framework available Unless you want to tackle the integration issues If authorization is problematic and you don’t have time to fix it. November 23, 2018

34 Finally For web applications, I feel Authentication is ready
Authorization is not JAAS may not be good fit Doesn’t integrate with application servers out there presently Similar to servlet specification Should be implemented by vendors November 23, 2018

35 Resources Struts: http://jakarta.apache.org/struts
Write your own login module: Pick up some free ones Java security Java Security by Scott Oaks Write your own authentication system: Paper this talk is based upon: Sample code that works with struts November 23, 2018

36 Thanks Seurat nee XOR Reviewers Tom Malaher Dion Almaer
Brian Pontarelli Kris Thompson Steven Sweeting, Clive Jones, and Aaron Rustad Basis of struts arch diagram November 23, 2018

Download ppt "Web Applications and JAAS"

Similar presentations

Apache Struts Technology

Apache Struts Technology
A Blackboard Building Block™ Crash Course for Web Developers

A Blackboard Building Block™ Crash Course for Web Developers
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
My First Building Block Presented By Tracy Engwirda 28 September, 2005.

My First Building Block Presented By Tracy Engwirda 28 September, 2005.
Struts Basics SSE USTC Qing Ding. Agenda What is and Why Struts? Struts architecture – Controller: Focus of this presentation – Model – View Struts tag.

Struts Basics SSE USTC Qing Ding. Agenda What is and Why Struts? Struts architecture – Controller: Focus of this presentation – Model – View Struts tag.
Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.

Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.
Apache Struts Technology A MVC Framework for Java Web Applications.

Apache Struts Technology A MVC Framework for Java Web Applications.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Apache Jakarta Tomcat 20041058 Suh, Junho. Road Map Tomcat Overview Tomcat Overview History History What is Tomcat? What is Tomcat? Servlet Container.

Apache Jakarta Tomcat Suh, Junho. Road Map Tomcat Overview Tomcat Overview History History What is Tomcat? What is Tomcat? Servlet Container.
Tomcat Celsina Bignoli History of Tomcat Tomcat is the result of the integration of two groups of developers. – JServ, an open source.

Tomcat Celsina Bignoli History of Tomcat Tomcat is the result of the integration of two groups of developers. – JServ, an open source.
Struts 2.0 an Overview ( )

Struts 2.0 an Overview ( )
Introduction to Struts 2.0 Jenny Ni Joey Feng Winddays Wang Hewmmi Zhu Heather Lv Software School,Fudan University 1.

Introduction to Struts 2.0 Jenny Ni Joey Feng Winddays Wang Hewmmi Zhu Heather Lv Software School,Fudan University 1.
UNIT-V The MVC architecture and Struts Framework.

UNIT-V The MVC architecture and Struts Framework.
Lecture 2 - Struts ENTERPRISE JAVA. 2 Contents  Servlet Deployment  Servlet Filters  Model View Controllers  Struts  Dependency Injection.

Lecture 2 - Struts ENTERPRISE JAVA. 2 Contents  Servlet Deployment  Servlet Filters  Model View Controllers  Struts  Dependency Injection.
Java Vs .Net Presented By, Naveen Kumar Ratkal.

Java Vs .Net Presented By, Naveen Kumar Ratkal.
Java Authentication and Authorization Service (JAAS)

Java Authentication and Authorization Service (JAAS)
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
© 2005 by IBM; made available under the EPL v1.0 | March 1, 2005 Tim deBoer Gorkem Ercan Extend WTP Server Tools for your.

© 2005 by IBM; made available under the EPL v1.0 | March 1, 2005 Tim deBoer Gorkem Ercan Extend WTP Server Tools for your.
Blackboard Building Blocks Framework and Security Monday, September 14, 2015 Tracy Engwirda, Senior Consultant – Asia Pacific.

Blackboard Building Blocks Framework and Security Monday, September 14, 2015 Tracy Engwirda, Senior Consultant – Asia Pacific.
© Blackboard, Inc. All rights reserved. Security and Authentication Security and Authentication Tracy Engwirda Principal Consultant Blackboard Inc. July.

© Blackboard, Inc. All rights reserved. Security and Authentication Security and Authentication Tracy Engwirda Principal Consultant Blackboard Inc. July.

Similar presentations

Ads by Google