JAAS, Securing J2EE Applications: Securing Web Components
Web applications must be developed with security in mind right from the start. Developers should plan for securing a web application with both the web server and the application server in mind. Securing a J2EE application can seem very complicated, however. This article, the first of two parts, explains how to secure J2EE web components.
JAAS, Securing J2EE Applications: Securing Web Components - 2. Write the CallBackHandler (Page 5 of 7 )
To gather users’ authentication information, LoginModule uses a javax.security.auth.callback.CallbackHandler. An application implements this interface and passes it to the LoginContext. The LoginContext then forwards it to the underlying LoginModules. So data gathering can be decoupled from authentication implementations. One part of the CallbackHandler implementation is the type of data used for validating the user. Below is the code for the CallbackHandler used by our application.
To implement CallbackHandler a single method has to be overridden- handle(). Let's see how its done.
Create a class that implements the CallbackHandler
class MyCallBackHandler implements CallbackHandler
Then override the handle() method
if(callback[i] instanceof NameCallback)
NameCallback nc = (PasswordCallback)callbacks[i];
//do the needful to get the user name such as a login page or a terminal //based userid prompter
//do the needful to get the password such as a login page or a terminal //based password prompter. Just like the one done for user name.
That’s all for the CallbackHandler.
3. Providing custom implementations for Principal and Action (this is optional)
This is an optional step. This step is useful for storing the user name and comparing it with a new login.
Just as in the pvious step, start by creating a class.
public class userPrincipal implements Principal, java.io.Serializable
Since I am using this class to compare between two userPrincipals, I have done it in equals method.
public boolean equals(Object o)
if(!(o instanceof userPrincipal))
The code first checks for null object. Then it checks for equality of the object (not value). Once that is done, it assigns the object to an object of type userPrincipal and checks the equality of the value contained in it. The only method to be overridden is getName(). In our case it just returns the name contained in the passed uesrPrincipal object.
public String getName()
Next is the implementation for PrivilagedAction. By doing this we can control the access of the resource on the basis of permissions in real time.
Create a custom implementation by implementing the PrivilagedAction interface.
public class userAction implements PrivilagedAction
Then override the run() method as shown below. Implementations can differ.
public Object run()
File f=new File(“tips.html”);
<> System.out.println(“File does not exists in user directory”); <>//do other needful. In real environment the out put wouldn’t be given like above <> return null; <>}
Here we are just checking for the existence of the file. The exists() method returns true only if the file object has the required permissions. In this case it has permissions only in the user’s home directory.