JAAS, Securing J2EE Applications: Securing Web Components
Web applications must be developed with security in mind right from the start. Developers should plan for securing a web application with both the web server and the application server in mind. Securing a J2EE application can seem very complicated, however. This article, the first of two parts, explains how to secure J2EE web components.
JAAS, Securing J2EE Applications: Securing Web Components - Using the JAAS Module to Secure the Web Component (Page 7 of 7 )
This is the last step in the complete process. The best way to do it is to implement a servlet-filter. Whenever a request is made to the web application, the request goes through the servlet-filter, if implemented or available. Hence from the login page, the user related data could be easily passed to the CallbackHandler.
To implement a servlet filter, first implement the Filter interface and then override the doFilter() method. In the doFilter method, call the CallbackHandler implementation and pass on the user data.
// run the servlet chain.doFilter(request, response);
// logout lc.logout(); } }
The above code shows the implementation. The doFilter method calls the CallbackHandler and provides it with the user data. The above implementation is not the optimized version. It is just a high level version. There are various ways to do this. I will cover more about it in the future. To integrate this into the web application, have a peek into the example web.xml provided by the application server vendor. Thatís all about setting up JAAS with servlet filter.
So this brings us to the end of securing your web application using JAAS. I know I have left out the details of interaction between JAAS and the application. In part two, I will give you all the missing details. In todayís world of web security, to provide fine grained control, JAAS is the best option available to any J2EE developer as it combines the best of both role based security and programmatically enforcing it. Till next time.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.