Home arrow Java arrow Page 4 - JAAS, Securing J2EE Applications: Securing Web Components

JAAS, Securing J2EE Applications: Securing Web Components

Web applications must be developed with security in mind right from the start. Developers should plan for securing a web application with both the web server and the application server in mind. Securing a J2EE application can seem very complicated, however. This article, the first of two parts, explains how to secure J2EE web components.

Author Info:
By: A.P.Rajshekhar
Rating: 4 stars4 stars4 stars4 stars4 stars / 39
August 17, 2005
  1. · JAAS, Securing J2EE Applications: Securing Web Components
  2. · JAAS: What is it?
  3. · Subject, Principal and Credentials
  4. · Implementing the JAAS Security Module
  5. · 2. Write the CallBackHandler
  6. · 4. Configure the JAAS policy file
  7. · Using the JAAS Module to Secure the Web Component

print this article

JAAS, Securing J2EE Applications: Securing Web Components - Implementing the JAAS Security Module
(Page 4 of 7 )

So much for theories. Now, it's time to have a look at the steps involved in implementing JAAS as a module. The implementation I am discussing below has been developed to provide security for a Java Mail application (experimental) that I am currently trying out for my personal use. To write a custom implementation, use the following steps:

  1. Implement the LoginModule.
  2. Write the CallBackHandler.
  3. Providing custom implementations for Principal and Action (this is optional).
  4. Configure the JAAS policy file.
  5. Configure the J2EE Application server.

Before going into the details of the implementation, the package you need to import  for all the steps is:


1.  Implement the LoginModule

LoginModule is one of the core modules of JAAS. It encapsulates the authentication logic intended for the JAAS framework. To implement LoginModule, one must override the following four methods:

a.  login():

This method performs the tasks of fetching the login information and authenticating the user. In short the logic to authenticate a user comes here. Fetching the login information is done as shone below:

              Callback[] callbacks=new Callbacks[2];

              Callbacks[0]=new NameCallback(“userModule username:”);

              Callbacks[0]=new NameCallback(“userModule password:”,false);


It is obvious from the above code that login information is fetched using the CallBackHandler. Once the login information is gathered, the login method attempts to connect to the server. If connected, the method returns true. The following snippet shows the procedure.

                  boolean succeeded=false;






                      ctx = new InitialDirContext(props);

                    succeeded =true;


                 return succeeded;

In the try-catch block, it tries to connect to the LDAP server with the gathered information. If the connection succeeds (that is, InitialDirContext() doesn’t throw exceptions), the verification variable is set to true. Here instead of the LDAP server, the database server could also be used as the authenticating server.

    1. commit():

This method sets the validated username in the session context. The code to populate the subject with the roles and credentials (such as private keys) if any, also goes here. The code is as follows:    


                  return false;



                  userPrincipal=new userPrincipal(user);





                  return true;


c.  abort():

This method is called if the LoginContext’s overall authentication fails. This method is also triggered by the runtime if a runtime exception is generated. To do custom processing in case of authentication failure, the code would be as follows: 

    if(!succeed)//this is for authentication failure


             return false;


else if(succeeded&&commitSucceeded==false)//this is for //runtime //error




                     throw new FailedLoginException(“Exception in Processin”);


d.  logout():

Whenever user logs out, this method is called. So if you want to unset some credentials or release the resources held by the user, you can do it here. The code that I used is as follows:           









              return true;

The class embedding the above code is:

             public class MyLoginModule implements LoginModule



blog comments powered by Disqus

- Java Too Insecure, Says Microsoft Researcher
- Google Beats Oracle in Java Ruling
- Deploying Multiple Java Applets as One
- Deploying Java Applets
- Understanding Deployment Frameworks
- Database Programming in Java Using JDBC
- Extension Interfaces and SAX
- Entities, Handlers and SAX
- Advanced SAX
- Conversions and Java Print Streams
- Formatters and Java Print Streams
- Java Print Streams
- Wildcards, Arrays, and Generics in Java
- Wildcards and Generic Methods in Java
- Finishing the Project: Java Web Development ...

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2018 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials