Java – j_security_check and JAAS


I have been given the task of implementing a login handler. The only detail the handler captures is username and password. Initially I was going to use a JSP that posted to a servlet. Where the servlet carried out a db lookup and also validated the user credentials. Upon successful login you are redirected but unsuccessful takes you back to the jsp and displays appropriate error messages.

However upon doing some research I discovered j_security_check and JAAS and am not sure which to use or whether to at all.

What benefits will I get from either and which would be most suitable from my task? ?

Best Solution

Security is composed of following aspects:

  1. Authentication
  2. Authorization
  3. Transport layer security - Encryption

Authentication: - this consists of checking the credentials of the user; most of the times this is implemented through login mechanism. Your task of creating login page is part of authentication.

Authorization: - application resources need to be protected from unauthorized access that means when ever user requests for protected resource, application need to ensure that user has appropriate access rights. This is generally done by assign roles to the user and putting request filters that verify the access rights of the user. This part is more critical and requires detailed design analysis. Just authenticating user is not enough, you need to ensure that protected resources are not accessed by those users who are not authorized for the same.

Transport layer security: - system architecture need to ensure that data being transfered over the network doesnot fall into hands of hackers or sniffers. SSL/TSL is used for achieving this

J2EE containers and frameworks like Spring security provide common functionalities for each of the security aspect.

What you are trying to develop is simple authentication mechanism. Application security is more demandind when it comes to access control i.e. authorization.

Also security need to scalable i.e. as business needs changes for integrating systems and security your system should be able to adapt to things like Single Sign On (SSO), LDAP authentication etc.

Though JAAS and container security is good enough for scaling but there are few restrictions with the same. For example you would need to depend on vendor specific configurations and adapters. Your application would declare security needs in deployment descriptors and server administrators need to configure security realms at server end.

I would recommend you to evaluate Spring Security (previously Acegi Security) framework. We have been using the same in many of our projects and found it to be robust, customizable and easy to implement. It comes with set of filters that intercept your request and provide access control. Framework can be used to validate users against various user repositories such as database, LADP servers, OS Security etc. It is extensible and can be integrated with SSO servers. It also provides useful taglibraries for controlling access to parts within JSP pages. Not only that this framework also provides method level security that can be imposed at class level through Spring AOP framework