> -----Original Message-----
> From: A mailing list for Enterprise JavaBeans development
> [mailto:[EMAIL PROTECTED]]On Behalf Of francis pouatcha
> Sent: Tuesday, February 15, 2000 11:02 AM
> To: [EMAIL PROTECTED]
> Subject: Integrating J2EE and JAAS
>
>
> About integrating JAAS into EJB (J2EE),
>
> What do JAAS deals with and where is it needed:
>
> 1)-->authentication could be needed for tow purposes:
> 1a) -->For getting security attributes of a user, that sits on a
> machine in the intranet environment or in a managed extranet environment
> (verry nice). J2EE solve this problem with the concept of application
> components, that run in some kind of application containers provided by
> the J2EE provider. JAAS provides clients with a nice way for
> communicating user sec. attr. to their containers, and it is the corner
> where we will need JAAS anyway.
Yes, but there is no standard way for the application-client-container to
propagate the sec. attr. to the ejb-container. More on that later.
> 1b)-->For solving the following form-based authentication
> problem outlined by Laird:
> <hint>
> when using form-based authentication, you need some way for transmitting
> the security attributes you got from the client to the web server
> environment, so it can be asociated with the communication subsystem.
> </hint>
> <solution>
> The JAAS's LogingContext.loging() method could be used to perform this
> task.
> </solution>
Yes, and then you need to fulfill the callbacks generated by the
LoginModules using the web. This is actually quite tricky, since you need an
adapter between two asynchronous protocols (the http and the callback's of
JAAS). But it can be done, and has been done. (You need a thread suspending
the first login-phase while waiting for the next http-request.)
> 1c)-->But JAAS couldn't be used for getting security
> attributes of a user that sits on a browser somewehre in the internet.
> For this, we need some kind of HTTP authentication (basic, form, ssl).
Yes, it could. Of course one needs to use some form of http-authentication,
but those could be enhanced (using JAAS' PAM) in a way that one could get
more complicated authentication behaviour. For example, using the X500-name
to authenticate someone based on what _company_ a user is from. Ie. one
company, one principal. Or using the form-based authentication to
authenticate a user based on some challenge-response-scheme (commonly used
by internet-banks, using an external box for signing the "challenge").
This type of flexibility of authentication is _required_ for building
applications with high security-requirements.
> 2)-->authorization: checking whether a user is allowed to access some
> resources. This is definitively not needed by the EJBServer, because the
> EJB and the JAAS access controll logic are uncorrelated (I'm ready to
> discuss that in detail).
Might be true. But the JAAS acls is richer than the J2EE-one. I believe that
J2EE should gain in richness if they could be integrated without
compromising the simplicity of J2EE's current acls.
> 3)--> JAAS doesn't deals with context propagation, so transmitting
> security attributes from ejb clients (stand alone, servlets) to ejb
> server couldn't be handled by JAAS.
No, it doesn't. But shouldn't it?
JAAS deals with propagating sec. attrs. within an application. I believe
that for JAAS to be semantically complete (even within J2SE, which includes
RMI), it needs to be able to propagate sec. attrs. through RMI. Else, the
semantics of an RMI-method call is inconsistent. When calling an RMI-method
residing on the same VM the context is propagated, else it is not.
Of course, the J2EE needs to standardize on context propagation to get
container-container integration. Since the container-container integration
is done through RMI/IIOP the context propagation of J2EE should use the
standards of the CORBA-world.
> In summary, let's say JAAS can be used for authentication when
> implemeting J2EE Java-Clients.
I believe that the most important feature JAAS has that J2EE doesn't is
flexibility of authentication. I don't believe that it is always up to the
container to decide.
> So if you see any other integration point between EJB(J2EE) and JAAS, or
> someting wrong in that countered above, let me know your opinion.
>
> Thanks.
> --
> Francis Pouatcha
>
> MATHEMA Software GmbH
> http://www.mathema.de
>
> ==================================================================
> =========
> To unsubscribe, send email to [EMAIL PROTECTED] and include
> in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
>
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
