Home arrow Java arrow Page 3 - JAAS, Securing J2EE Applications: Securing Web Components

JAAS, Securing J2EE Applications: Securing Web Components

Web applications must be developed with security in mind right from the start. Developers should plan for securing a web application with both the web server and the application server in mind. Securing a J2EE application can seem very complicated, however. This article, the first of two parts, explains how to secure J2EE web components.

Author Info:
By: A.P.Rajshekhar
Rating: 4 stars4 stars4 stars4 stars4 stars / 39
August 17, 2005
  1. · JAAS, Securing J2EE Applications: Securing Web Components
  2. · JAAS: What is it?
  3. · Subject, Principal and Credentials
  4. · Implementing the JAAS Security Module
  5. · 2. Write the CallBackHandler
  6. · 4. Configure the JAAS policy file
  7. · Using the JAAS Module to Secure the Web Component

print this article

JAAS, Securing J2EE Applications: Securing Web Components - Subject, Principal and Credentials
(Page 3 of 7 )


These three are the most recurring terms in JAAS. They also relate to the core classes of this package. In this section I will be discussing  these terms and their use in the process of providing security.


In short, a subject refers to a person, i.e. a user or another system. The users of system depend on various resources provided by the system to perform various computational tasks. These resources are almost always in the form of Services. In certain cases a system itself must depend on the services running on other systems. So, in both cases, whether it is a person who utilizes system services or another system, JAAS must authenticate them. So in the terminology of JAAS, both become subjects.


A service is always associated with the name of the subject that is making use of that service. And each subject can use many different services under different names. So principal, in essence, is the name associated with a subject. In other words the name that associates a subject with a service is the principal. Like subject, principal is one of the core classes.


A service, at times, would attach security attributes (also data) to a subject other than the principal. Most of the time these attributes are nothing but the information supplied by the subject for authentication. Such attributes are termed credentials. Credentials may be any type of objects. They can include passwords, Kerberos tickets, and public key certificates. The pluggable feature of JAAS ensures that third party credential implementations may also be incorporated within JAAS without much ado.

The next question obviously would be, how are these related in code? Letís take a look.

As I have already discussed, each subject may have multiple names. A subject would have a set of principals:

          public interface Principal


          public String getName()


public final class Subject


          public Set getPrincipals() { }



           public final class Subject {


                   public Set getPublicCredentials() { }  // not security checked

                   public Set getPrivateCredentials() { } // security checked


In more explanatory terms, the subject class has a method which returns principals associated with the subject. Since there can be many principals associated with a single instance of a subject, the return type is a collection-Set. The subject class has better methods for Credentials. Here two types of credentials come into the picture: public credentials and private credentials. The public credentials contain the Subject instanceís Public Keys, Kerberos tickets, and so on, whereas the private credentials contain Private Keys, passwords, and so forth. Thus, the subject contains methods to get the credentials and principals associated with it.

blog comments powered by Disqus

- Java Too Insecure, Says Microsoft Researcher
- Google Beats Oracle in Java Ruling
- Deploying Multiple Java Applets as One
- Deploying Java Applets
- Understanding Deployment Frameworks
- Database Programming in Java Using JDBC
- Extension Interfaces and SAX
- Entities, Handlers and SAX
- Advanced SAX
- Conversions and Java Print Streams
- Formatters and Java Print Streams
- Java Print Streams
- Wildcards, Arrays, and Generics in Java
- Wildcards and Generic Methods in Java
- Finishing the Project: Java Web Development ...

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2019 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials