j_security_check and JAAS

Question

I have been given the task of implementing a login handler. The only detail the handler captures is username and password. Initially I was going to use a JSP that posted to a servlet. Where the servlet carried out a db lookup and also validated the user credentials. Upon successful login you are redirected but unsuccessful takes you back to the jsp and displays appropriate error messages.

However upon doing some research I discovered j_security_check and JAAS and am not sure which to use or whether to at all.

What benefits will I get from either and which would be most suitable from my task? ?

Answer 1

The simpler method should suffice unless you are doing really really sensitive stuff. Just remember the most important (and simple) bit: keep a password hash in the database, not the real password.

Answer 2

You may as well check out Spring Security framework.

Answer 3

Use what you container provides and don't implement your database lookup to do this. When the container knows who is logged in, you can use the roles to restrict access to certain pages. There are also different types of authentication.

Using JAAS will give you the flexibility to use another way of verifying the password (for example in active directory). Also single-sign-on could be implemented with this.

Answer 4

JAAS takes the load off you and allows you (or the client) to change authentication methods just by dropping in another module. For example from DB auth to LDAP to Kerberos to NT Domain - you get the point.

Answer 5

Security is composed of following aspects:

1. Authentication
2. Authorization
3. Transport layer security - Encryption

Authentication: - this consists of checking the credentials of the user; most of the times this is implemented through login mechanism. Your task of creating login page is part of authentication.

Authorization: - application resources need to be protected from unauthorized access that means when ever user requests for protected resource, application need to ensure that user has appropriate access rights. This is generally done by assign roles to the user and putting request filters that verify the access rights of the user. This part is more critical and requires detailed design analysis. Just authenticating user is not enough, you need to ensure that protected resources are not accessed by those users who are not authorized for the same.

Transport layer security: - system architecture need to ensure that data being transfered over the network doesnot fall into hands of hackers or sniffers. SSL/TSL is used for achieving this

J2EE containers and frameworks like Spring security provide common functionalities for each of the security aspect.

What you are trying to develop is simple authentication mechanism. Application security is more demandind when it comes to access control i.e. authorization.

Also security need to scalable i.e. as business needs changes for integrating systems and security your system should be able to adapt to things like Single Sign On (SSO), LDAP authentication etc.

Though JAAS and container security is good enough for scaling but there are few restrictions with the same. For example you would need to depend on vendor specific configurations and adapters. Your application would declare security needs in deployment descriptors and server administrators need to configure security realms at server end.

I would recommend you to evaluate Spring Security (previously Acegi Security) framework. We have been using the same in many of our projects and found it to be robust, customizable and easy to implement. It comes with set of filters that intercept your request and provide access control. Framework can be used to validate users against various user repositories such as database, LADP servers, OS Security etc. It is extensible and can be integrated with SSO servers. It also provides useful taglibraries for controlling access to parts within JSP pages. Not only that this framework also provides method level security that can be imposed at class level through Spring AOP framework