Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
355 views
in Technique[技术] by (71.8m points)

java - JAAS for human beings

I am having a hard time understanding JAAS. It all seems more complicated than it should be (especially the Sun tutorials). I need a simple tutorial or example on how to implement security (authentication + authorization) in java application based on Struts + Spring + Hibernate with custom user repository. Can be implemented using ACEGI.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Other users have provide some very useful links above so I am not going to bother with links. I have done a similar research in JAAS for web application and has ran into a "mind roadblock" until I finally realize JAAS is a framework tackling security at a different "layer" then web applications in the Java World. It is build to tackle security issues in Java SE not Java EE.

JAAS is a security framework built for securing things at a much lower level then web-application. Some example of these things are code and resources available at the JVM level, hence all these ability to set policy files in the JVM level.

However, since Java EE is built on top of Java SE, a few modules from JAAS were reused in Java EE security such as the LoginModules and Callbacks.

Note that in addition to Java EE security, there is also Spring security (formerly known as Acegi), which similar to native Java EE security tackles a much higher "layer" in the securing web-application problem. It is a separate security implementation and is not built on top of standard Java EE security, although it behaves similarly in many regards.

To summarize, unless you are looking to secure resources in the Java SE level (classes, System resources), I don't see any real use of JAAS other than the using the common class and interfaces. Just focus on using Spring Security or plain old Java EE security which both solve a lot of common web application security problems.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...