1 / 36

Web Applications and JAAS

Web Applications and JAAS. Dan Moore Consultant Seurat Company July 11, 2002. Introduction. Overview of Struts Java Authentication and Authorization Service (JAAS) JAAS Authentication Integration with Struts Default JAAS Authorization Integration with Struts

balthasar
Download Presentation

Web Applications and JAAS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Applications and JAAS Dan Moore Consultant Seurat Company July 11, 2002

  2. Introduction • Overview of Struts • Java Authentication and Authorization Service (JAAS) • JAAS Authentication • Integration with Struts • Default JAAS Authorization • Integration with Struts • Situations where JAAS is useful/not useful • About my experience

  3. What do you want? • How many are building web applications • Using Struts or other lightweight framework • Using ATG Dynamo, Websphere or other heavy framework • Heard of Struts • Played with Struts • Heard of JAAS • Played with JAAS • Questions please

  4. Motivation • Authentication and Authorization are plumbing • Re-invent or re-learn the wheel • Re-learn once or many times • Concepts from bright people • Future integration with app servers • Resume

  5. Struts • What is Struts • Architecture • Sample Struts-config.xml • Example application

  6. What is Struts • Web application framework • MVC (almost) • Lightweight • Few services provided • Open Source jakarta project • Apache license

  7. Struts architecture

  8. Show Struts-config.xml

  9. Demo Untouched Example Application

  10. What is JAAS • Interfaces and classes for standard authentication and authorization • Lightweight & Pluggable • Really two separate APIs • Authentication • Authorization • Which depends on Authentication • JDK 1.3.x supplemental jar and now part of 1.4 JDK

  11. Authentication • Definitions • Configuration • Typical use • Integration with example application • Code

  12. Definitions • User • Subject • Principal • Login module • Login module set

  13. Show Authentication Configuration File

  14. Show Authentication Password File

  15. Configuration of Authentication • Configuration file • Tokens in configuration file • Required/optional/sufficient/necessary • Can replace class that reads this file • Tagish Login Module • File based • GPL • Could write your own, see resources • JVM awareness • 1.3 class loader issues • System property: java.security.auth.login.config • java.security file

  16. Typical Use • Create LoginContext • Login module set name • Callbackhandler • Interact with User • Try to login • May repeat if need be • If login successful, Subject is an attribute of LoginContext • If login unsuccessful, exception thrown

  17. Integration of Authentication with Example application • Struts defers to adapter • Converts exceptions to boolean • Callbackhandler weirdness • Struts caches Subject in session • 377 bytes in size

  18. Show Struts calling Adapter and Adapter

  19. Authorization • Caveat • Definitions • Java security • Configuration • Typical Use • Integration with example application • Code

  20. Caveat • This is the default authorization scheme • It has blemishes • Can plug in your own via java.security file, see resources

  21. Definitions • Resource • Permission • Three components • Class, resource and action • java.io.FilePermission “/tmp” “read” • Basic permission/Permission • Principals • Security Manager

  22. Java security model • How many are familiar? • Based on permissions and resources • Code based • Permissions granted to code based on • a given location (jar, URL) • Signer of code • Permission stack • Class A calls class B calls class C… • JAAS extends to include Subject executing code

  23. Show Authorization Configuration File

  24. Configuration of Authorization • In some respects, similar to authentication • Configuration file • Based on java security model. • Subject must have every principal to access resource • Wild cards possible • But not null subjects • Can replace class which reads this file • Tell JVM where security configuration file lives • java.security • Multiple, unioned • Command line: java.security.auth.policy

  25. Typical Use • Install/get security manager • Before allowing access to resource, check with security manager • All java classes that guard resources do this • Subject.doAsPrivileged(subject, object wrapper of access, access context)

  26. Integration with example application • Treat URLs as resources • Basic permission, but in real app would want real Permission • Subclass ActionServlet • Only resources ActionServlet controls are protected • Alternative—servlet filters • Call off to utility class • Special handling of login page

  27. Show Struts calling Authorization Utility

  28. Places to extend Authorization • Protect not only URLs but content as well • taglib • Increase configuration file scalability • Permission class that “understands” URLs • HTTP/HTTPS delineation • Would love an Open Source jar • Code emphasis not repairable

  29. Demo Modified Application

  30. Conclusion • On pluggability • Situations where JAAS is a good fit • Situations where JAAS is not

  31. Pluggability • Overused term • 2 kinds of pluggability • Class which reads configuration • Configuration file itself • Login modules • Permissions

  32. Where JAAS looks useful • You have different authentication systems that need to look the same • Lightweight framework • You have complex authentication systems • Authorization is something you have time to rework

  33. Where JAAS should be avoided • Pre JDK 1.3 projects • If there’s already a heavyweight framework available • Unless you want to tackle the integration issues • If authorization is problematic and you don’t have time to fix it.

  34. Finally • For web applications, I feel • Authentication is ready • Authorization is not • JAAS may not be good fit • Doesn’t integrate with application servers out there presently • Similar to servlet specification • Should be implemented by vendors

  35. Resources • Struts: • http://jakarta.apache.org/struts • Write your own login module: • http://java.sun.com/security/jaas/doc/module.html • Pick up some free ones • http://free.tagish.net/jaas/doc.html • Java security • Java Security by Scott Oaks • Write your own authentication system: • http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442 • Paper this talk is based upon: • http://mooreds.com/jaas.html • Sample code that works with struts • http://mooreds.com/jaas-example.tar.gz

  36. Thanks • Seurat nee XOR • Reviewers • Tom Malaher • Dion Almaer • Brian Pontarelli • Kris Thompson • Steven Sweeting, Clive Jones, and Aaron Rustad • Basis of struts arch diagram

More Related