JAAS, Securing J2EE Applications: Securing Web Components - Using the JAAS Module to Secure the Web Component

(Page 7 of 7 )

This is the last step in the complete process. The best way to do it is to implement a servlet-filter. Whenever a request is made to the web application, the request goes through the servlet-filter, if implemented or available. Hence from the login page, the user related data could be easily passed to the CallbackHandler.

To implement a servlet filter, first implement the Filter interface and then override the doFilter() method. In the doFilter method, call the CallbackHandler implementation and pass on the user data.

public class JAASLoginFilter implements Filter

{
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
        // login
        String username = request.getSession().getAttribute("username");
        char[] password  = request.getSession().getAttribute("password");
        handler = new UsernamePasswordHandler(username, password);
        LoginContext lc = new LoginContext("client-login", handler);
        lc.login();

        // run the servlet
        chain.doFilter(request, response);

        // logout
        lc.logout();
    }
}

The above code shows the implementation. The doFilter method calls the CallbackHandler and provides it with the user data. The above implementation is not the optimized version. It is just a high level version. There are various ways to do this. I will cover more about it in the future. To integrate this into the web application, have a peek into the example web.xml provided by the application server vendor. That’s all about setting up JAAS with servlet filter.

So this brings us to the end of securing your web application using JAAS. I know I have left out the details of interaction between JAAS and the application. In part two, I will give you all the missing details. In today’s world of web security, to provide fine grained control, JAAS is the best option available to any J2EE developer as it combines the best of both role based security and programmatically enforcing it. Till next time.

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

Comments On: JAAS, Securing J2EE Applications: Securing Web Components

· HiThank you for reading. Hope it was helpful. Please comment.A.P.Rajshekhar    · Very well structured and helpful for a newbie like me. The "almost" is because I...    · found it very helpful, it only lacks references to specific server aplication...    · Thhanks for your comments. Since here the context is Web Applicatin, so there is no...    · Hi thanks for that article, it helped clear a lot of confusion i was having about...    · Hi liked the explanation of JAASLoginFilter. But what i am not able to understand...    · put the rigth code or dont put anything, that snippets of code was writed with your...    · The content was easy to understand. I habe 1 question in this. I want my application...   >>> Post your comment now!