Home arrow Java arrow Page 7 - JAAS, Securing J2EE Applications: Securing Web Components

JAAS, Securing J2EE Applications: Securing Web Components

Web applications must be developed with security in mind right from the start. Developers should plan for securing a web application with both the web server and the application server in mind. Securing a J2EE application can seem very complicated, however. This article, the first of two parts, explains how to secure J2EE web components.

Author Info:
By: A.P.Rajshekhar
Rating: 4 stars4 stars4 stars4 stars4 stars / 39
August 17, 2005
  1. · JAAS, Securing J2EE Applications: Securing Web Components
  2. · JAAS: What is it?
  3. · Subject, Principal and Credentials
  4. · Implementing the JAAS Security Module
  5. · 2. Write the CallBackHandler
  6. · 4. Configure the JAAS policy file
  7. · Using the JAAS Module to Secure the Web Component

print this article

JAAS, Securing J2EE Applications: Securing Web Components - Using the JAAS Module to Secure the Web Component
(Page 7 of 7 )

This is the last step in the complete process. The best way to do it is to implement a servlet-filter. Whenever a request is made to the web application, the request goes through the servlet-filter, if implemented or available. Hence from the login page, the user related data could be easily passed to the CallbackHandler.

To implement a servlet filter, first implement the Filter interface and then override the doFilter() method. In the doFilter method, call the CallbackHandler implementation and pass on the user data.

public class JAASLoginFilter implements Filter

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
        // login
        String username = request.getSession().getAttribute("username");
        char[] password  = request.getSession().getAttribute("password");
        handler = new UsernamePasswordHandler(username, password);
        LoginContext lc = new LoginContext("client-login", handler);

        // run the servlet
        chain.doFilter(request, response);

        // logout

The above code shows the implementation. The doFilter method calls the CallbackHandler and provides it with the user data. The above implementation is not the optimized version. It is just a high level version. There are various ways to do this. I will cover more about it in the future. To integrate this into the web application, have a peek into the example web.xml provided by the application server vendor. Thatís all about setting up JAAS with servlet filter.

So this brings us to the end of securing your web application using JAAS. I know I have left out the details of interaction between JAAS and the application. In part two, I will give you all the missing details. In todayís world of web security, to provide fine grained control, JAAS is the best option available to any J2EE developer as it combines the best of both role based security and programmatically enforcing it. Till next time.

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

blog comments powered by Disqus

- Java Too Insecure, Says Microsoft Researcher
- Google Beats Oracle in Java Ruling
- Deploying Multiple Java Applets as One
- Deploying Java Applets
- Understanding Deployment Frameworks
- Database Programming in Java Using JDBC
- Extension Interfaces and SAX
- Entities, Handlers and SAX
- Advanced SAX
- Conversions and Java Print Streams
- Formatters and Java Print Streams
- Java Print Streams
- Wildcards, Arrays, and Generics in Java
- Wildcards and Generic Methods in Java
- Finishing the Project: Java Web Development ...

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2019 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials