views:

1758

answers:

4

I am having a hard time understanding JAAS. It all seems more complicated than it should be (especially the Sun tutorials). I need a simple tutorial or example on how to implement security (authentication + authorization) in java application based on Struts + Spring + Hibernate with custom user repository. Can be implemented using ACEGI.

+1  A: 

For a purely JAAS tutorial check out this. It's old but should help with the JAAS basics.

Mark
+1  A: 

I can't speak too much to JAAS itself, but this "suggested steps" guide on Spring Security and the reference manual are both pretty good resources on Spring Security - if your setup is anything close to simple, you don't really need to do much more than read these.

matt b
+4  A: 

Other users have provide some very useful links above so I am not going to bother with links. I have done a similar research in JAAS for web application and has ran into a "mind roadblock" until I finally realize JAAS is a framework tackling security at a different "layer" then web applications in the Java World. It is build to tackle security issues in J2SE not J2EE.

JAAS is a security framework build for securing things at a much lower level then web-application. Some example of these things are code and resources available at the JVM level, hence all these ability to set policy files in the JVM level.

However, since J2EE is build on top of J2SE, a few modules from JAAS was reuse in J2EE security such as the LoginModules and Callbacks.

On the other hand, Acegi, or now aka Spring security, tackles a much higher "layer" in the securing web-application problem. It is build on top of J2EE security hence J2SE hence JAAS. Unless you are looking to secure resources in the J2SE level (classes, System resources), I don't see any real use of JAAS other than the using the common class and interfaces. Just focus on using Acegi or plain old J2EE security which solves a lot of common web application security problems.

lsiu