Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why should i use JAAS against hand-written security?

Tags:

java

security

jakarta-ee

jaas

I got hand-written security, simple servlet-filter which redirect not-authorized user to their login pages. Login controller redirect them to the requested URL after successfull authentication or their main page. This approach work fine, the only disadvantage, that I have to pass User object which is stored in the HttpSession through stacktrace to EJB beans.

Now I rewrote some code and use Spring-security as http based authentication. It is integrated automatically with Glassfish JAAS.

I don't need to pass User through stacktrace anymore, invocation sessionContext.getCallerPrincipal() is enough. But the principal object return me only userName, not userId, so i have to perform addition select if i need userId for example.

1) Is there anyway to extend Principal object, so it can store more properties ?

2) Why i should use JAAS or Spring Security or another security framework, why not just hand writen servlet filter ?

like image 927
user12384512 Avatar asked Apr 21 '11 14:04

user12384512

1 Answers

2) Using a standard security mechanism like JAAS has many advantages:

  1. You can easily change the way user authenticates solely by configuring your server - without need to change anything inside your code.

  2. You can be sure your security is up-to-date, supporting strongest algorithms, storing Principal in a secure manner and so on. Again just by staying up-to-date with your server, framework etc. Having a hand-written security module is prone to errors and to be outdated soon.

  3. You can leverage framework security - eg. web.xml security tags, EJB security annotations. Because JAAS is a standard way to authenticate, you can be sure adopting future technologies will be easier, because all serious technologies will support JAAS (Spring security etc.). If your software is planned to grow, you will definitely need a standard.

  4. It will save you time and effort. JAAS provides both authentication and authorization, neatly packed and configurable within minutes.

  5. I recommend futher reading on J2EE security or you can find more resources in OWASP guides.

like image 69
Jurri Avatar answered Nov 08 '22 08:11

Jurri
Sign in to Comment

Related questions

Expanding Java Memory-Mapped Byte Buffer
AspectJ Load time weaver doesn't detect all classes
BSON library for java? [closed]
How to mimic upsert behavior using Hibernate?
Best practice for adding a bidirectional relation in OO model
JPA many to many with extra column
Do we need to use MappedByteBuffer.force() to flush data to disk?
Why does Java Map<K, V> take an untyped parameter for the get and remove methods?
How to validate HTML from Java?
Can a java RAM disk be created to be used with the java.io.* API?
embedding a font in Java
How will closures in Java enable API design to replace language design?
jps can't connect to a remote jstatd
Does Eclipse have an editor/viewer for java serialized files?
Amazon AWS tutorials? [closed]
Using GSON to parse array with multiple types
Lightweight B-tree library for Java? [closed]
Vim - Auto-complete Java
Problem with generic return type in guice assisted inject factory
Compilation error - switch with enum [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!