Home arrow Java arrow Page 5 - JAAS, Securing J2EE Applications: Securing Web Components
JAVA

JAAS, Securing J2EE Applications: Securing Web Components


Web applications must be developed with security in mind right from the start. Developers should plan for securing a web application with both the web server and the application server in mind. Securing a J2EE application can seem very complicated, however. This article, the first of two parts, explains how to secure J2EE web components.

Author Info:
By: A.P.Rajshekhar
Rating: 4 stars4 stars4 stars4 stars4 stars / 39
August 17, 2005
TABLE OF CONTENTS:
  1. · JAAS, Securing J2EE Applications: Securing Web Components
  2. · JAAS: What is it?
  3. · Subject, Principal and Credentials
  4. · Implementing the JAAS Security Module
  5. · 2. Write the CallBackHandler
  6. · 4. Configure the JAAS policy file
  7. · Using the JAAS Module to Secure the Web Component

print this article
SEARCH DEVARTICLES

JAAS, Securing J2EE Applications: Securing Web Components - 2. Write the CallBackHandler
(Page 5 of 7 )

To gather users’ authentication information, LoginModule uses a   javax.security.auth.callback.CallbackHandler. An application implements this interface and passes it to the LoginContext. The LoginContext then forwards it to the underlying LoginModules. So data gathering can be decoupled from authentication implementations. One part of the CallbackHandler implementation is the type of data used for validating the user. Below is the code for the CallbackHandler used by our application.

To implement CallbackHandler a single method has to be overridden- handle(). Let's see how its done.

Create a class that implements the CallbackHandler

class MyCallBackHandler implements CallbackHandler

{

          …..

}

Then override the handle() method

if(callback[i] instanceof NameCallback)

{       

                        NameCallback nc = (PasswordCallback)callbacks[i];

//do the needful to get the user name such as a login page or a terminal   //based userid prompter

            ………

            nc.setPassword(password.toCharArray());

       }

        if(callback[i] instanceof PasswordCallback)

        {      

                PasswordCallback pc= (PasswordCallback)callbacks[i];

//do the needful to get the password such as a login page or a terminal   //based password prompter. Just like the one done for user name.

            ………

            pc.setPassword(password.toCharArray());

        }

That’s all for the CallbackHandler.

3.  Providing custom implementations for Principal and Action (this is optional)

This is an optional step. This step is useful for storing the user name and comparing it with a new login.

Just as in the pvious step, start by creating a class.

public class userPrincipal implements Principal, java.io.Serializable

        {

               …….

        }

Since I am using this class to compare between two userPrincipals, I have done it in equals method.

public boolean equals(Object o)

{

   if(o==null)

        return false;

  

  if(this==o)

        return true;

 

  if(!(o instanceof userPrincipal))

        return false;

       

  userPrincipal that=(userPrincipal)o;

 if (this.getName().equals(that.getName()))

        return true;

 return false;

 }

The code first checks for null object. Then it checks for equality of the object (not value). Once that is done, it assigns the object to an object of type userPrincipal and checks the equality of the value contained in it. The only method to be overridden is getName(). In our case it just returns the name contained in the passed uesrPrincipal object.

public String getName()

{

 return userPrincipal.getName();

}

Next is the implementation for PrivilagedAction. By doing this we can control the access of the resource on the basis of permissions in real time. 

Create a custom implementation by implementing the PrivilagedAction interface.

public class userAction implements PrivilagedAction

{

 …..

}

Then override the run() method as shown below. Implementations can differ.

public Object run()

{

        File f=new File(“tips.html”);

        if(!f.exists())

<>               System.out.println(“File does not exists in user directory”);

<>//do other needful. In real environment the out put wouldn’t be given like above

<>    return null;

<>}

Here we are just checking for the existence of the file. The exists() method returns true only if the file object has the required permissions. In this case it has permissions only in the user’s home directory.


blog comments powered by Disqus
JAVA ARTICLES

- Java Too Insecure, Says Microsoft Researcher
- Google Beats Oracle in Java Ruling
- Deploying Multiple Java Applets as One
- Deploying Java Applets
- Understanding Deployment Frameworks
- Database Programming in Java Using JDBC
- Extension Interfaces and SAX
- Entities, Handlers and SAX
- Advanced SAX
- Conversions and Java Print Streams
- Formatters and Java Print Streams
- Java Print Streams
- Wildcards, Arrays, and Generics in Java
- Wildcards and Generic Methods in Java
- Finishing the Project: Java Web Development ...

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 
Support 

Developer Shed Affiliates

 




© 2003-2017 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials