Article: The Power of JAAS: Security System Alternatives

In this article, Frank Teti shows us how to architect for RBAC within an environment centered on J2EE using a TAI.

J2EE security is still all about application-bound authorization and authentication not perimeter security. However, in a highly distributed J2EE architecture, the evolving Java 2 Security “Sandbox Model”, including Java Authentication and Authorization Service (JAAS) 1.0 plus vendor extensions is essentially a ubiquitous, enterprise-wide security model.

The power of JAAS is in its ability to use almost any underlying security system, such as, the local operating system, LDAP, RACF or Oblix NetPoint. Increasingly, one of the more popular alternatives is to use a Trust Association Interceptor (TAI). A TAI provides support to J2EE resources for role-based access and user-based single sign-on and is becoming one of the more popular alternatives.

Read "The Power of JAAS: Security System Alternatives"

All that JAAS: Security System Alternatives

Much the same can be accomplished with Acegi for Springframework. (http://acegisecurity.sourceforge.net). JAAS, SSO, RBAC. Managers do not need to let developers start from scratch.

-andrew

I second that for Acegi for Spring

JAAS didn't fit the bill for us and we weren't keen to write lots of glue code to make it work for our distributed web app. Instead, we settled on Acegi (now in production at a very large financial institution) and have been very pleased with it thus far.

Note that I recently added a Siteminder authentication extension (also in our production environment) into Acegi's CVS tree. See http://acegisecurity.sourceforge.net/ for more info.

Is Acegi Spring dependent ?

We did not use JAAS or Acegi but another team had build the security mechanism from scratch for single signon on LDAP.
Not only was it time consuming, it has limitation that it works only for struts!!
Acegi looks interesting but does it also work only with Spring or can be used for any web application ?

Re: Is Acegi Spring dependent ?

"Acegi Security relies on the Spring IoC container to wire its classes, and execute lifecycle methods such as afterPropertiesSet(). Some Acegi Security classes also publish events to the ApplicationContext, although you could provide a mock implementation of ApplicationContext easily enough which no-ops the method. In other words, if you particularly didn't want Spring in your application, you could avoid its use by writing equivalent getter, setter and lifecycle invocation processes in standard Java code. This is a natural consequence of the Spring way of development, which emphasises framework independence (it is not because we think there are good reasons people would not use Spring)."

More @ http://acegisecurity.sourceforge.net/standalone.html.

kiuma

Article: The Power of JAAS: Security System Alternatives

Hi all,
you should look towards jGuard (http://jguard.sourceforge.net) which enable easy JAAS integration with j2ee platforms.

sincerly yours,

Charles(jGuard team).

Where's the "Printer Friendly Version" gone?

See subject.

Missunderstanding

Developers many times misunderstand JAAS. Any framework mentioned in discusion could be based on JAAS or at least at some subpart of it. JAAS in core is couple of classes and interfaces. Rest is default implementation for many systems.
Last year we deployed application in BEA server with login/password authentication against MS AD. This year authorisation via SPNEGO was intoroduced in 8.1 SP4. Then we reinstalled server to new version and deployed Windows SSO withoud changing line of code.
Custom security solutions I see very often. However I guess JAAS provide enough ground for everybody to start with.

Enterprise-wide security

In large, corporate, heterogeneous environments (i.e. wintel, mainframe, unix, etc.) you need a security system that can be enabled in (IIS, Apache, J2EE, Notes, etc.) for enterprise-wide access control. Only systems like Oblix, Netegrity, etc. provide that kind of support. They also provide provisioning to LDAP, AD, etc., which is part of the security equation.

Enterprise-wide security

Here is one for the "etc" group. Check out CAS. Acegi provides an out-of-box adapter for it.

http://tp.its.yale.edu/confluence/display/TP/Home?page=CentralAuthenticationService

Client Integration:

Acegi as CAS Client
AuthCAS
CAS and JSR-168
ColdFusion client script
ISAPI Filter
Java Client
JSP Client
MOD_CAS
PAM Module
Perl Client
PHP Client
Prado client
RPM Modules
Seraph as CAS Client
uPortal Client
WebObjects Client
Yale CAS client distribution
Zope client

Article: The Power of JAAS: Security System Alternatives

We have used JAAS to customize our security login with WebSphere 5.1.2. I had the need to get some more information about the user from LDAP like: first & last name prefered language, etc.

So we had our own login module developed and chained after original websphere modules. It works great!

Thanks!

Enterprise-wide security

and Tivoli AM/WebSEAL

acegi or kasai

Like andrew, I believe that everything can be done with acegi. Furthermore, with the release of the version 1.0 next December, acegi will be even more powerful and stable.
However, there is also kasai which is not bad
http://www.manentiasoftware.com/kasai/goToWhatIs.action

Enterprise-wide security

Hi.

Just wanted to recommend RSA ClearTrust as an enterprise access managemnet/security framework. I am slightly biased, as I have been a product consultant for RSA Security but it's list of integration and feature specs is enormous.

What Frank Teti calls TAI (Trust Association Interceptor) is called an Agent in ClearTrust talk, and they are availble for basically every single web / app server you can think of. Like:
WebLogic
WebSphere
IIS
Apache
IBM HTTPD etc etc etc

You can declaratively in the ClearTrust GUI protect JMS queues, EJBs, servlets etc etc or use URL based protection.

For authentication you can choose between 6-7 already implemented authentication mechanisms or use the authentication broker framework to write your own.

ClearTrust handles about six or seven different types of LDAP and SQL user repository types.

It also has a very long list of enterprise applications it can provide SSO to such as Siebel and SAP etc.

In huge organisations, not all applications are in Struts, or in Spring or even in Java.... This is a really nice way to tie them all together and provide SSO between them (also handles different cookie domains of course).

Buuut... Of course the product costs money :)

Using JAAS with JSF

I've just posted an article on Using JAAS with JSF. I'd like to see if the TSS crowd things this is a good approach.

Ed (JSF co-spec lead)

Enterprise-wide security

In article it was already stated that:

TAI is used to connect reverse proxies, such as IBM WebSeal or Oblix NetPoint (recently acquired by Oracle) to a J2EE application server

Nothing but nonsense and misconceptions

This article is chock full of errors, although it's sometimes hard to tell what is accurate and what isn't, as it's so poorly written. Anyway, a few points:

"However, the article did not discuss, in detail, alternatives to using LDAP directly for Java Authentication and Authorization Service (JAAS) security"

- what exactly is this supposed to mean? LDAP has nothing to do with JAAS, so why should there be an alternative to using LDAP for JAAS? This is nonsense.

"A TAI allows for single sign-on (SSO) and management privileges within J2EE resources: for example, authentication, authorization and policy-based security"

- Umm, no, it doesn't. A TAI (which, by the way, is an IBM proprietary interface despite the fact that the article leads you to believe it can be used with other servers) provide identity assertion. This can be used as part of an overall SSO strategy, but it does not in and of itself provide SSO, and it certainly does not provide authorization or policy-based security.

"The focus of this article is to understand how to architect for RBAC within an environment centered on J2EE using a TAI."

- That would be difficult, as the TAI has nothing to do with access control.

" security behavior is implemented using JAAS for object method level security"

- Not in WebSphere, it isn't. JAAS is only used in WebSphere for authentication, but as the TAI interface has nothing to do with JAAS, it's hard to see what point is being made here.

"JAAS is a feature included in most J2EE-compliant application servers and was mandated by the J2EE 1.3 Specification."

No, it wasn't. JAAS is part of J2SE, and much of it is really not all that relevant in a J2EE environment, and most of it is optional. Mr. Teti really ought to read the specification.

I could go on, but I'm sure you get the point by now. If anyone is interested in what is actually involved in writing a TAI for WebSphere Application Server, please see my paper here: http://www-128.ibm.com/developerworks/websphere/techjournal/0508_benantar/0508_benantar.html

Nothing but nonsense and misconceptions

Your article (paper) is informative, and some of the co-authors on it I know are good, I worked with Keyes for a couple of years on a DCE project.

To your points:

It is still my understanding that JAAS was mandated by J2EE 1.3 spec for compliant app servers.
 
I don’t state that TAI is part of JAAS and I have read the spec, it is a reverse proxy that allows 3rd party security systems, such as, Oblix, Netegrity's SiteMinder, etc. to as you say in the paper “authenticate the user and then simply inform WAS as to the end-user's identity.” Thus, AC requires identification of the subject.

The point I was making is that you can access this information directly in LDAP or through a TAI to a 3rd party security system (that might also be storing the information in LDAP). As I stated, this article represented an alternative to approach discussed in this article http://www.theserverside.com/articles/article.tss?l=LDAP.

In any case, after the Web authentication is complete in the TAI or normal Web authentication case using LDAP directly, WAS creates a JAAS Subject containing the user’s authentication information and an LTPA token.

As far as it being proprietary, I don’t believe TAI is as proprietary as, for example, LTPA; at least, a TAI is an interface that other 3rd party’s can implement to, that IMHO is not proprietary.

But I believe you are missing the fundamental point, I have described a viable reference architecture that uses WAS without IBM Tivoli to accomplish the same result.

If you have the time maybe you could also review these IBM related articles, too.

http://my.advisor.com/Articles.nsf/vWriterID?OpenView&RestrictToCategory=TETIF

Asynchronous Processes Modeled as Persistent Finite State Machines

Benjamin Possolo describes and implements a finite state machine for asynchronous services using JEE. (August 18, Article)

---

A RESTful Core for Web-like Application Flexibility - Part 2 - Microkernel

Randy Kahle and Tom Hicks continue their series of RESTful computing with an explanation of the role of the microkernel. (August 7, Article)

---

Putting Physhun To Work

Read more about the Physhun finite state modeling framework in Jim Ladd's article on a real life application. (August 5, Article)

---

Are Java Web Applications Secure?

HDIV was designed for the purpose of addressing security issues in Web application frameworks by extending some of those frameworks to do such things as check of non editable data integrity and perform validations for editable data. Read about potential security problems and how HDIV attempts to address those problems. (July 30, Article)

---

The Road to JBI: Paved with Good Intentions

Standards are a good thing, but sometimes we overreach. Ross Mason tells us how we overreached on JSR-208, and what to do about it. (July 28, Article)

---

A RESTful Core for Web-like Application Flexibility - Part 1

Representational State Transfer (REST) computing offers developers and applications a number of advantages, including simplicity and flexibility in running applications. Tom Hicks and Randy Kahle begin this series on RESTful computing with the surprising topic of binding. (July 23, Article)

---

Implementing Finite State Machines with Physhun and Spring

The Physhun project provides finite State Model persistence and transaction management with synchronous or asynchronous behavior. This article presents Physhun, a Spring-based framework for implementing complex processes through Finite State Machine models. (July 18, Article)

---

Continuous Performance Management Across the Application Lifecycle

This video explains the benefits of concepts like Continuous Performance Management, which applies performance engineering continuously throughout each phase of the software lifecycle. (July 16, TechTalk)

---

Best Practices for Developing Scalable Web 2.0 Applications

In this Tech Talk, filmed at TSSJS-Europe, Uri Cohen gives a demo that will show you the power of GigaSpaces' scaling, hot failover and self-healing capabilities. A sample Web application which uses Spring MVC and contains an AJAX web front-end and a GigaSpaces' backend will be scaled out. (July 15, TechTalk)

---

Introduction to m2eclipse

The m2eclipse project provides support for Maven within the Eclipse IDE. It is a plugin which helps bridge the gaps between Maven and Eclipse. Read about how to use m2eclipse to integrate build management into your Eclipse environment. (July 14, Article)

---

Scaling Your Java EE Applications - Part 2

In part two of this series, Wang Yu presents some surprising results of Java application scalability based on his experiences in a performance laboratory. (July 8, Article)

---

Scaling Your Java EE Applications

Getting Java applications to scale requires an intimate understanding of the application, the JVM, and the underlying hardware. Wang Yu presents some surprising results of Java application scalability based on his experiences in a performance laboratory. (July 3, Article)

---

Zero Turnaround for Java Development

In this podcast, JavaRebel development lead Jevgeni Kabanov discusses the value of zero turnaround to both development and production systems, and how JavaRebel helps achieve this goal. (June 27, Podcast)

---

JSR 286 Portlets: Action-scoped Request Attributes

The recent Java Portlet Specification 2.0 final draft (JSR 286) addresses a shortcoming in the action-render model used in the current spec to be able to let the container take care of managing the attributes between action and render. (June 12, Article)

---

New Features in EJB 3.1 - Part 4

The EJB 3.1 expert group is working on changes for the next version of the Java EE spec. Here's a preview of those changes. (June 12, Article)

---

Review: Algorithms in Java

Algorithms in Java provides those who seek to understand underlying mechanisms for manipulating data and working with well-known algorithms using a familiar language. (June 12, Review)

---

Free Book PDF Download: Mastering EJB Third Edition

Mastering EJB was one of the original and most influential EJB books in the industry. Mastering EJB III now returns with two new expert co-authors, updated for EJB 2.1 and 30% new chapters including security, integration, best practices, open source, and more.
(Book PDF Download)

---

Building Content Oriented Integration Solutions With Mule and JCR

The latest version of the JCR transport for Mule ESB offers a set of features that can enable the creation of content oriented integration solutions. This article by David Dossot presents a simple scenario where all these features are leveraged. (June 9, Article)

---

Extending Spring LDAP with an iBATIS-style XML Data Mapper

This article by Colin Lu explains how to use Spring's LDAP integration with an XML data mapper to make LDAP access from within Spring trivial. (May 20, Article)

---

Application Server Matrix

The Application Server Matrix is a detailed listing of J2EE vendors and their application server products, with information on latest version numbers, J2EE spec support and licensing, pricing, platform support, and links to product downloads and reviews.
(Application Server Comparison Matrix)