Comments on: J2EE Security is superior, but you aren't using it http://blog.kischuk.com/2004/02/26/j2ee-security-is-superior-but-you-arent-using-it/ Just another WordPress.com weblog Wed, 19 May 2010 15:39:28 +0000 hourly 1 http://wordpress.com/ By: Rob Kischuk http://blog.kischuk.com/2004/02/26/j2ee-security-is-superior-but-you-arent-using-it/#comment-225 Rob Kischuk Sun, 29 Feb 2004 23:50:30 +0000 http://rkischuk.wordpress.com/2004/02/26/j2ee-security-is-superior-but-you-arent-using-it/#comment-225 By 'exception', I'd presume you mean a 403 - forbidden error, at least that's what a container ought to do. If so, you can solve the user experience issue my adding an "error-page" entry to your web.xml file, pointing them to a friendlier error page. <p> If the container's giving you a full-on exception, Struts has declarative error handling that work nicely. <p> Of course, the core of the problem is that your app shouldn't have links that encourage users to link to areas they're not authorized to view - if they are presented with such links, THAT is the core design issue, not JAAS. By ‘exception’, I’d presume you mean a 403 – forbidden error, at least that’s what a container ought to do. If so, you can solve the user experience issue my adding an “error-page” entry to your web.xml file, pointing them to a friendlier error page.

If the container’s giving you a full-on exception, Struts has declarative error handling that work nicely.

Of course, the core of the problem is that your app shouldn’t have links that encourage users to link to areas they’re not authorized to view – if they are presented with such links, THAT is the core design issue, not JAAS.

]]> By: Paul Vincent Craven http://blog.kischuk.com/2004/02/26/j2ee-security-is-superior-but-you-arent-using-it/#comment-224 Paul Vincent Craven Sat, 28 Feb 2004 15:04:21 +0000 http://rkischuk.wordpress.com/2004/02/26/j2ee-security-is-superior-but-you-arent-using-it/#comment-224 I found JAAS to useless for security of a web application. You access something you aren't supposed to, and 'pow' you get an exception. Not a great user experience. It is as much work putting in a decent interface to handle the exceptions, as to do the security in the first place. Getting the initial set of security permissions for basic functionality is also a headache. I tied this path twice, once with Tomcat and once with Websphere. I didn't think it handled the project's needs either time I tried it. We had another group go down that road and also come to the same conclusion. I found JAAS to useless for security of a web application. You access something you aren’t supposed to, and ‘pow’ you get an exception. Not a great user experience. It is as much work putting in a decent interface to handle the exceptions, as to do the security in the first place. Getting the initial set of security permissions for basic functionality is also a headache. I tied this path twice, once with Tomcat and once with Websphere. I didn’t think it handled the project’s needs either time I tried it. We had another group go down that road and also come to the same conclusion.

]]> By: Rob Kischuk http://blog.kischuk.com/2004/02/26/j2ee-security-is-superior-but-you-arent-using-it/#comment-223 Rob Kischuk Fri, 27 Feb 2004 10:51:09 +0000 http://rkischuk.wordpress.com/2004/02/26/j2ee-security-is-superior-but-you-arent-using-it/#comment-223 A lot of the perceived complexity depends on the app server. At its simplest level, JBoss provides a mechanism that requires 2 files, users.properties and roles.properties. users.properties manages the authentication part, roles.properties handles authorization. If you want simple, just create a single role, make all your users a part of that role, and restrict your apps to say that users must be a member of that role. Hopefully other app servers have a base level implementation that is just as simple, and more advanced implementations (LDAP,JDBC) for those who need it. A lot of the perceived complexity depends on the app server. At its simplest level, JBoss provides a mechanism that requires 2 files, users.properties and roles.properties. users.properties manages the authentication part, roles.properties handles authorization. If you want simple, just create a single role, make all your users a part of that role, and restrict your apps to say that users must be a member of that role. Hopefully other app servers have a base level implementation that is just as simple, and more advanced implementations (LDAP,JDBC) for those who need it.

]]> By: Ryan Daigle http://blog.kischuk.com/2004/02/26/j2ee-security-is-superior-but-you-arent-using-it/#comment-222 Ryan Daigle Fri, 27 Feb 2004 10:40:25 +0000 http://rkischuk.wordpress.com/2004/02/26/j2ee-security-is-superior-but-you-arent-using-it/#comment-222 I find JAAS to be a bit confusing and over-architected for simple username/password authentication. I always like to know how the authentication I'm using works, and I can't seem to figure it out with JAAS and end up doing my own. I just need to find a simple JDBC-username/password example and maybe I'd be a convert. I find JAAS to be a bit confusing and over-architected for simple username/password authentication. I always like to know how the authentication I’m using works, and I can’t seem to figure it out with JAAS and end up doing my own. I just need to find a simple JDBC-username/password example and maybe I’d be a convert.

]]>