Security API
Jump to navigation
Jump to search
programmatic security
- J2EE API for role membership & user identity
- Can use JAAS instead of Container Managed Security
- for dynamic complex rules and policies
JAAS
- Authentication : LoginContext object specifies who and callback handler to handle authentication process e.g. password/pin etc
- call void LoginContext.login() throws LoginException
- Configuration specifies what LoginModule to use
- Supports "stacked" modules - more than one
- configuration files contains - fully specified class name, authentication flag
Authentication Flag
| Flag | Description | Continues on success | Continues on failure |
|---|---|---|---|
| Sufficient | If succeeds, login successful, no others need to pass | No | Yes |
| Requisite | must succeed for login to be successful, others may still need to pass | Yes | No |
| Required | must succeed for login to be successful, others may still need to pass | Yes | Yes |
| Optional | not required for login to succeed | Yes | Yes |
JAAS Authorisation
- successful login creates a Subject represents the user
- Subject has a Principle representing name, groups, roles, companies etc
- Principal used to control access - must be associated with the access control context
javax.ejb.EJBContext
- java.security.Principal getCallerPrincipal()
- isCallerInRole(java.lang.String roleName)
- java.security.Identity getCallerIdentity() Deprecated - getCallerPrincipal
- isCallerInRole(java.security.Identity role) Deprecated- isCallerInRole
javax.servlet.http.HttpServletRequest
- isRequestedSessionIdFromCookie()
- isRequestedSessionIdFromUrl() Deprecated (case change) see below
- isRequestedSessionIdFromURL()
- isRequestedSessionIdValid()
- isUserInRole(java.lang.String role)
javax.annotation.security
- DeclareRoles
- DenyAll
- PermitAll
- RolesAllowed
- RunAs
| Annotation | class | method | ejb or superclass | servlet or web library |
|---|---|---|---|---|
| DeclareRoles | Y | Y | Y | |
| DenyAll | Y | Y | ||
| PermitAll | Y | Y | Y | |
| RolesAllowed | Y | Y | Y | |
| RunAs | Y | Y (only EJB) | Y (only servlet) |
Security Policy