JAAS - How to authenticate user in web tier?

Question

I'm trying to understand how to secure Java EE applications using JAAS.

Actually I understand how to work with rules in EJBs, however, I don't understand how to authenticate user in web tier, for example create a simple JSF page with login form, check the given user name & password using the DB and in the case of success how to set the Principal for this user inside my application.

What is the common way doing this? I'd like to have as much AS-independent solution as possible.

Answer 1

JAAS is not the universal standard to do this. In fact, JAAS login modules are a little ill-suited for Java EE authentication. The full JAAS model was created for Java applications running locally, shielding code bases from each other (e.g. is a specific jar allowed to read from the file system).

It's very rare for a Java EE server to run untrusted code, so much of the functionality JAAS offers is simply not used.

Two very good articles about this topic are the following:

• JAAS in the Enterprise
• Whatever Happened to JAAS?

What is the common way doing this?

Unfortunately the common was is using an AS specific thing. The terminology for this "thing" is AS specific too. It can be called anything from a "realm", "security domain", "zone", "login module", and who knows what else they call it.

I'd like to have as much AS-independent solution as possible.

Fortunately there is also a standard way to do this in Java EE 6 and beyond, which is completely AS-independent: JASPIC auth modules.

However, the different application servers don't always fully support this. Of course it being part of the Java EE standard means vendors MUST support it, but this still doesn't mean they implement everything as the spec says (but instead they only implement for sure what the TCK tests for).

See the following two articles that I wrote for more info about JASPIC:

• Implementing container authentication in Java EE with JASPIC
• What's new in Java EE 7's authentication support?