JAAS, Securing J2EE Applications: Securing Web Components
Web applications must be developed with security in mind right from the start. Developers should plan for securing a web application with both the web server and the application server in mind. Securing a J2EE application can seem very complicated, however. This article, the first of two parts, explains how to secure J2EE web components.
JAAS, Securing J2EE Applications: Securing Web Components - Implementing the JAAS Security Module (Page 4 of 7 )
So much for theories. Now, it's time to have a look at the steps involved in implementing JAAS as a module. The implementation I am discussing below has been developed to provide security for a Java Mail application (experimental) that I am currently trying out for my personal use. To write a custom implementation, use the following steps:
Implement the LoginModule.
Write the CallBackHandler.
Providing custom implementations for Principal and Action (this is optional).
Configure the JAAS policy file.
Configure the J2EE Application server.
Before going into the details of the implementation, the package you need to import for all the steps is:
1. Implement the LoginModule
LoginModule is one of the core modules of JAAS. It encapsulates the authentication logic intended for the JAAS framework. To implement LoginModule, one must override the following four methods:
This method performs the tasks of fetching the login information and authenticating the user. In short the logic to authenticate a user comes here. Fetching the login information is done as shone below:
It is obvious from the above code that login information is fetched using the CallBackHandler. Once the login information is gathered, the login method attempts to connect to the server. If connected, the method returns true. The following snippet shows the procedure.
In the try-catch block, it tries to connect to the LDAP server with the gathered information. If the connection succeeds (that is, InitialDirContext() doesn’t throw exceptions), the verification variable is set to true. Here instead of the LDAP server, the database server could also be used as the authenticating server.
This method sets the validated username in the session context. The code to populate the subject with the roles and credentials (such as private keys) if any, also goes here. The code is as follows:
This method is called if the LoginContext’s overall authentication fails. This method is also triggered by the runtime if a runtime exception is generated. To do custom processing in case of authentication failure, the code would be as follows:
if(!succeed)//this is for authentication failure
else if(succeeded&&commitSucceeded==false)//this is for //runtime //error
throw new FailedLoginException(“Exception in Processin”);
Whenever user logs out, this method is called. So if you want to unset some credentials or release the resources held by the user, you can do it here. The code that I used is as follows: