Hi Daniel,
JAAS is not necessarily tied to the OS user. Actually you can tie it to
the OS user by using proper login modules which can authenticate if a
user is already logged into an OS. However, in a true Java spirit, JAAS
is much more generic. In fact it is just a framework to implement
versatile authentication and authorization schemes. For instance, I
authenticate user's against a relational database (some might use LDAP).
The JAAS provides abstractions to represent user's identity and
permissions. It also provides algortihms to check if configured security
policy implies certain permission.
Some sample code:
PagePermission pagePermission = new
PagePermission("admin");
PermissionCollection pc =
Policy.getPolicy().getPermissions(user.getSubject(), null);
if (pc.implies(pagePermission)) {
// authorization succeeded...
}
else {
// authorization failed, the current user don't have a permission to
view a page on this domain.
}
Then on policy file I might have:
grant Principal org.shiftctrl.framework.security.SCGroupPrincipal
"admin" {
permission
org.shiftctrl.framework.security.permissions.PagePermission "admin";
};
This way it is easy to implement multiuser Java applications where
accesses are controlled on per-user or per-group level. JAAS is also
integrated to the JDK 1.4, like the new logging API you mentioned.
--
Joni
[EMAIL PROTECTED]
Daniel López wrote:
>
> Hi Joni,
>
> I agree it can be done. My situation is that I just don't log requests
> but I can log everything that happens in the environment, security
> settings, internationalization issues, XML/XSLT performance... so my
> logging code is tightly integrated with the framework and I can control
> it from a single point. I could use a filter to check things before the
> request is served, but as the rest of the parts are going to use it,
> what do I win by externalising it. Anyway, I hope to be able to discard
> this part of the environment as soon as JDK1.4 logging features become a
> reality. With security is more or less the same, we implemented our own
> security library because we are not satisfied with the standard and we
> don't want to get container specific. I agree I could externalise this
> as a filter but I wouldn't really win much, as it is also quite tightly
> integrated with the rest of the things. IMO, things that are standard
> and can be switched on/off and replaced with another implementation
> without a hitch are candidates to be externalised, otherwise, it's not
> that it cannot be done with filters, it's that I don't see a big win in
> doing so. Of course, that's my situation because I can control the MVC 2
> implementation and I can tightly integrate these parts.
>
> Just a question. I thought JAAS was used to control if the OS user that
> was executing the Java code was/was not allowed to perform such
> execution. If the OS user that executes the servlet code is supposedly
> always the same, how is this thing related to the application user that
> performs the request? I didn't think this standard could be used for
> that, if it is, I might go for it ;).
>
> regards,
> Dan
>
> Joni Suominen wrote:
> >
> > Hi!
> >
> > I have implemented these features as "externalized" filters. The reason
> > for this was that I use a MVC 2 product which is developed independently
> > (Jakarta Struts http://jakarta.apache.org/struts/). Like Marcel said the
> > beauty of filters is that they are independent from the rest of the
> > application. The filters allow me to plug in these services to the
> > application without any integration code. So, I have a LogFilter which
> > logs the requests using log4j (http://jakarta.apache.org/log4j/). After
> > that there's an AuthorizationFilter which checks if the current user has
> > priviledges to execute the request. AuthorizationFilter utilizes the
> > forthcoming Java Authentication and Authorization service
> > (http://java.sun.com/products/jaas/). All in all, I have a pretty
> > flexible system with a very little own code.
> >
> > Joni
> > [EMAIL PROTECTED]
> >
> > Daniel López wrote:
> > >
> > > Hi,
> > >
> > > I've also used filters, but in this case to filter requests by IP, as I
> > > don't want certain IP's to be able to access certain URLs. On the other
> > > hand, I implemented security, logging and other features inside my own
> > > servlet Controller, following a Model 2 approach. I thought about
> > > "externalizing" this services as filters, but that would mean that the
> > > web.xml file will grow too much and that I would have to put too much
> > > things in the request object each time. It's not that I've discarded the
> > > idea, but I don't see any compelling reason to implement everything as
> > > filters. We don't use servlets, but ONE controller servlet and action
> > > classes and we use JSP as view-only, creatures (actually, we seldom use
> > > them as we use XML/XSLT), so as anyway all the requests go through my
> > > controller servlet... We implemented IP filtering as a filter because we
> > > also wanted to use it in other applications, as well as with static
> > > content.
> > > Just my 2c,
> > > D.
> > > -------------------------------------------
> > > Daniel Lopez Janariz ([EMAIL PROTECTED])
> > > Web Services
> > > Computer Center
> > > Balearic Islands University
> > > -------------------------------------------
> > >
> > > Marcel Schutte wrote:
> > > >
> > > > Hi Randahl,
> > > >
> > > > I've used a filter to do gzip encoding for specific file types. Starting
> > > > with the tutorial at http://www.orionserver.com/tutorials/filters/lesson5/,
> > > > I've changed some things to get the hang of it and also to reduce the amount
> > > > of buffering used. It works fine, haven't had a problem with this
> > > > (intranet)site.
> > > >
> > > > The beauty of filters is that they are completely independent from your
> > > > application, just edit your web.xml and you are set.
> > > >
> > > > Let me know if you wnat some more info.
> > > >
> > > > Marcel
> > > >
> > > > > -----Original Message-----
> > > > > From: [EMAIL PROTECTED]
> > > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Randahl Fink
> > > > > Isaksen
> > > > > Sent: Wednesday, May 30, 2001 9:39 AM
> > > > > To: Orion-Interest
> > > > > Subject: RE: bugs in <@page extends="...."> in Orion implementation?
> > > > >
> > > > >
> > > > > Hi Marcel
> > > > >
> > > > >
> > > > > I looked it up, and I definately see your point about the
> > > > > filter mechanism.
> > > > > Have you any experience with this on Orion? Does it work
> > > > > well? And what have
> > > > > you used it for?
> > > > >
> > > > > Of course if anyone else have tried it out, I would very much
> > > > > like to hear
> > > > > from you too.
> > > > >
> > > > >
> > > > > Yours
> > > > > Randahl
> > > > >
> > > > > -----Original Message-----
> > > > > From: [EMAIL PROTECTED]
> > > > > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > > > Marcel Schutte
> > > > > Sent: 30. maj 2001 00:22
> > > > > To: Orion-Interest
> > > > > Subject: Re: bugs in <@page extends="...."> in Orion implementation?
> > > > >
> > > > >
> > > > > That's right, the two examples Randahl gives can be easily
> > > > > solved using the
> > > > > servlet2.3 filter mechanism, giving a very loose coupling of
> > > > > these features
> > > > > with your actual application.
> > > > >
> > > > > Marcel
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Juan Lorandi (Chile)" <[EMAIL PROTECTED]>
> > > > > To: "Orion-Interest" <[EMAIL PROTECTED]>
> > > > > Sent: Tuesday, May 29, 2001 10:45 PM
> > > > > Subject: RE: bugs in <@page extends="...."> in Orion implementation?
> > > > >
> > > > >
> > > > > > I believe this could be better modeled differently, because
> > > > > it leaves no
> > > > > > room for the web server to implement its callbacks and java doesn't
> > > > > support
> > > > > > multiple inheritance.
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Randahl Fink Isaksen [mailto:[EMAIL PROTECTED]]
> > > > > > > Sent: Martes, 29 de Mayo de 2001 3:01
> > > > > > > To: Orion-Interest
> > > > > > > Subject: RE: bugs in <@page extends="...."> in Orion
> > > > > implementation?
> > > > > > >
> > > > > > >
> > > > > > > Well, can anyone confirm that JSP pages can extend your own
> > > > > > > class when using
> > > > > > > Orion??? Or has noone been able to use "@page extends"?
> > > > > > >
> > > > > > > I see many good reasons for implementing your own super class
> > > > > > > for your JSP
> > > > > > > pages. For instance, such a superclass could do logging
> > > > > of all client
> > > > > > > activities or it could do security checking.
> > > > > > >
> > > > > > >
> > > > > > > Randahl
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: [EMAIL PROTECTED]
> > > > > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Robert
> > > > > > > Nicholson
> > > > > > > Sent: 25. maj 2001 21:15
> > > > > > > To: Orion-Interest
> > > > > > > Subject: RE: bugs in <@page extends="...."> in Orion
> > > > > implementation?
> > > > > > >
> > > > > > >
> > > > > > > It's doing you a favour.Please elaborate on why you want to extend
> > > > > > > that class.
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: [EMAIL PROTECTED]
> > > > > > > > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > > > > > Jiuyun Wang
> > > > > > > > Sent: Friday, May 25, 2001 9:20 AM
> > > > > > > > To: Orion-Interest
> > > > > > > > Subject: Re: bugs in <@page extends="...."> in Orion
> > > > > implementation?
> > > > > > > >
> > > > > > > >
> > > > > > > > It doesnot work, not matter which one (servlet/jspbase)
> > > > > I extends my
> > > > > > > > jsp, orion jsp compiler just don't support extends....
> > > > > > > >
> > > > > > > > -Jiuyun
> > > > > > > > --- SCOTT FARQUHAR <[EMAIL PROTECTED]> wrote:
> > > > > > > > > It looks like your page should extend servlet and not jsppage.
> > > > > > > > >
> > > > > > > > > Just change JSPBase to extend servlet (and make the required
> > > > > > > > > changes).
> > > > > > > > >
> > > > > > > > > I haven't read the spec, but I imagine that extending
> > > > > > > > > OrionHttpJspPage is proprietary, and would not be part of
> > > > > > > the spec.
> > > > > > > > >
> > > > > > > > > Scott
> > > > > > > > >
> > > > > > > > > >>> [EMAIL PROTECTED] 05/23/01 05:42am >>>
> > > > > > > > > I create a class called JSPBase class which extends
> > > > > > > OrionHttpJspPage,
> > > > > > > > > and I put the <@ page extends="packagename.JSPBase"> in
> > > > > > > my JSP file.
> > > > > > > > > however, orion give the following error:
> > > > > > > > >
> > > > > > > > > Superclass of the JSP page does not implement
> > > > > > > Servlet, invalid
> > > > > > > > > extends attribute.
> > > > > > > > >
> > > > > > > > > Does orion implement <@page extends> correctly?
> > > > > > > > >
> > > > > > > > > Any clarification?
> > > > > > > > >
> > > > > > > > > -Jiuyun
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > __________________________________________________
> > > > > > > > > Do You Yahoo!?
> > > > > > > > > Yahoo! Auctions - buy the things you want at great prices
> > > > > > > > > http://auctions.yahoo.com/
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > =====
> > > > > > > > Jiuyun Wang M.Sc. of Computer Sciences
> > > > > > > > Sun Certified Programmer for Java 2 Platform
> > > > > > > > IBM Certified Solution & Enterprise Developer
> > > > > > > > Phone: 919-696-0419(cel)
> > > > > > > > Email: [EMAIL PROTECTED]
