Home arrow Java arrow Page 6 - JAAS, Securing J2EE Applications: Securing Web Components

JAAS, Securing J2EE Applications: Securing Web Components

Web applications must be developed with security in mind right from the start. Developers should plan for securing a web application with both the web server and the application server in mind. Securing a J2EE application can seem very complicated, however. This article, the first of two parts, explains how to secure J2EE web components.

Author Info:
By: A.P.Rajshekhar
Rating: 4 stars4 stars4 stars4 stars4 stars / 39
August 17, 2005
  1. · JAAS, Securing J2EE Applications: Securing Web Components
  2. · JAAS: What is it?
  3. · Subject, Principal and Credentials
  4. · Implementing the JAAS Security Module
  5. · 2. Write the CallBackHandler
  6. · 4. Configure the JAAS policy file
  7. · Using the JAAS Module to Secure the Web Component

print this article

JAAS, Securing J2EE Applications: Securing Web Components - 4. Configure the JAAS policy file
(Page 6 of 7 )

The configuration of JAAS policy is done in .policy files. Only one LoginModule is configured for the security module. The policies are set in user.policy and user_jaas.conf.

The contents are as follows:


/*grant the user LoginModule AllPermission i.e. give all permissions to LoginModule.*/

grant codebase “file:./user_module.jar”


    permission java.security.AllPermission;


grant codebase “file:./user.jar”


   permission javax.security.auth.AuthPermission “createLoginContext.User”;

   permission javax.security.auth.AuthPermission “doAs”;

   permission javax.security.util.PropertyPermission “java.home”,”read”;

  permission javax.security.util.PropertyPermission “user.home”,”read”;

java.io.FilePermission “tips.html”,”read”;


/*Also set similar permissions for other files. They are not shown here*/

Now for some explanations. The first entry grants the relevant permissions to the userLoginModule. The userLoginModule is considered fully trusted. So it is granted all permissions. The second entry grants permission to the program itself, since the application is not fully trusted. Hence subject is authenticated first, and Subject.doAs is invoked with that subject and a userAction, which accesses the System property- java.home, user, home and the file tips.html. Now for user_jaas.conf.


In this provide the application name and the required parameters. Here the name is given as userend.



   userLoginModule required debug=true


5.  Configure the J2EE Application server

This step changes with each application server. So it is better to consult the documents provided by the vendor.

blog comments powered by Disqus

- Java Too Insecure, Says Microsoft Researcher
- Google Beats Oracle in Java Ruling
- Deploying Multiple Java Applets as One
- Deploying Java Applets
- Understanding Deployment Frameworks
- Database Programming in Java Using JDBC
- Extension Interfaces and SAX
- Entities, Handlers and SAX
- Advanced SAX
- Conversions and Java Print Streams
- Formatters and Java Print Streams
- Java Print Streams
- Wildcards, Arrays, and Generics in Java
- Wildcards and Generic Methods in Java
- Finishing the Project: Java Web Development ...

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2018 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials