Martin: Created page with "= programmatic security = * J2EE API for role membership & user identity * Can use JAAS instead of Container Managed Security * for dynamic complex rules and policies == JAAS..."

2021-09-14T21:35:26Z

Created page with "= programmatic security = * J2EE API for role membership & user identity * Can use JAAS instead of Container Managed Security * for dynamic complex rules and policies == JAAS..."

New page

= programmatic security =
* J2EE API for role membership & user identity
* Can use JAAS instead of Container Managed Security
* for dynamic complex rules and policies

== JAAS ==
* Authentication : [http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginContext.html LoginContext] object specifies who and callback handler to handle authentication process e.g. password/pin etc
** call void LoginContext.login() throws [http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginException.html LoginException]
* Configuration specifies what LoginModule to use
** Supports "stacked" modules - more than one
** configuration files contains - fully specified class name, authentication flag

* [http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnAndAzn.html tutorial]
** [http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/SampleAzn.java tutorial authentication code]

=== Authentication Flag ===

{| border="1" cellspacing="0" cellpadding="3"
|-
!Flag
!Description
!Continues on success
!Continues on failure
|-
| Sufficient
| If succeeds, login successful, no others need to pass
| No
| Yes
|-
| Requisite
| must succeed for login to be successful, others may still need to pass
| Yes
| No
|-
| Required
| must succeed for login to be successful, others may still need to pass
| Yes
| Yes
|-
| Optional
| not required for login to succeed
| Yes
| Yes
|}

=== JAAS Authorisation ===
* successful login creates a [http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/Subject.html Subject] represents the user
* Subject has a [http://java.sun.com/j2se/1.5.0/docs/api/java/security/Principal.html Principle] representing name, groups, roles, companies etc
* Principal used to control access - must be associated with the access control context

=== javax.ejb.EJBContext ===
* java.security.Principal getCallerPrincipal()
* isCallerInRole(java.lang.String roleName)
*'' java.security.Identity getCallerIdentity()'' Deprecated - getCallerPrincipal
*'' isCallerInRole(java.security.Identity role)'' Deprecated- isCallerInRole

=== javax.servlet.http.HttpServletRequest ===
* isRequestedSessionIdFromCookie()
* ''isRequestedSessionIdFromUrl()'' Deprecated (case change) see below
* isRequestedSessionIdFromURL()
* isRequestedSessionIdValid()
* isUserInRole(java.lang.String role)

=== javax.annotation.security ===
* DeclareRoles
* DenyAll
* PermitAll
* RolesAllowed
* RunAs

{|- border="1" cellpadding="5" cellspacing="0"
! Annotation !! class !! method !! ejb or superclass !! servlet or web library
|-
| DeclareRoles || Y || Y || Y ||
|-
| DenyAll || || Y || Y ||
|-
| PermitAll || Y || Y || Y ||
|-
| RolesAllowed || Y || || Y || Y
|-
| RunAs || Y || || Y (only EJB) || Y (only servlet)
|}

Security Policy
* http://java.sun.com/j2se/1.4.2/docs/guide/security/spec/security-spec.doc3.html
* http://java.sun.com/developer/technicalArticles/J2EE/security_annotation/

Security API - Revision history

Martin: Created page with "= programmatic security = * J2EE API for role membership & user identity * Can use JAAS instead of Container Managed Security * for dynamic complex rules and policies == JAAS..."