Security API

From sheep
Jump to navigation Jump to search

programmatic security

  • J2EE API for role membership & user identity
  • Can use JAAS instead of Container Managed Security
  • for dynamic complex rules and policies

JAAS

  • Authentication : LoginContext object specifies who and callback handler to handle authentication process e.g. password/pin etc
  • Configuration specifies what LoginModule to use
    • Supports "stacked" modules - more than one
    • configuration files contains - fully specified class name, authentication flag


Authentication Flag

Flag Description Continues on success Continues on failure
Sufficient If succeeds, login successful, no others need to pass No Yes
Requisite must succeed for login to be successful, others may still need to pass Yes No
Required must succeed for login to be successful, others may still need to pass Yes Yes
Optional not required for login to succeed Yes Yes

JAAS Authorisation

  • successful login creates a Subject represents the user
  • Subject has a Principle representing name, groups, roles, companies etc
  • Principal used to control access - must be associated with the access control context

javax.ejb.EJBContext

  • java.security.Principal getCallerPrincipal()
  • isCallerInRole(java.lang.String roleName)
  • java.security.Identity getCallerIdentity() Deprecated - getCallerPrincipal
  • isCallerInRole(java.security.Identity role) Deprecated- isCallerInRole

javax.servlet.http.HttpServletRequest

  • isRequestedSessionIdFromCookie()
  • isRequestedSessionIdFromUrl() Deprecated (case change) see below
  • isRequestedSessionIdFromURL()
  • isRequestedSessionIdValid()
  • isUserInRole(java.lang.String role)


javax.annotation.security

  • DeclareRoles
  • DenyAll
  • PermitAll
  • RolesAllowed
  • RunAs


Annotation class method ejb or superclass servlet or web library
DeclareRoles Y Y Y
DenyAll Y Y
PermitAll Y Y Y
RolesAllowed Y Y Y
RunAs Y Y (only EJB) Y (only servlet)



Security Policy