Web Applications and JAAS

Dan Moore
Consultant
Seurat Company
July 11, 2002

April 25, 2009 1 © 2002, Seurat Company

Introduction

• Overview of Struts
• Java Authentication and Authorization Service (JAAS)
• JAAS Authentication
• Integration with Struts
• Default JAAS Authorization
• Integration with Struts
• Situations where JAAS is useful/not useful
• About my experience

April 25, 2009 2 © 2002, Seurat Company

What do you want?

• How many are building web applications

• Using Struts or other lightweight framework
• Using ATG Dynamo, Websphere or other heavy
framework
• Heard of Struts
• Played with Struts
• Heard of JAAS
• Played with JAAS
• Questions please

April 25, 2009 3 © 2002, Seurat Company

Motivation

• Authentication and Authorization are plumbing

• Re-invent or re-learn the wheel
• Re-learn once or many times
• Concepts from bright people
• Future integration with app servers
• Resume

April 25, 2009 4 © 2002, Seurat Company

Struts

• What is Struts
• Architecture
• Sample Struts-config.xml
• Example application

April 25, 2009 5 © 2002, Seurat Company

What is Struts

• Web application framework

• MVC (almost)
• Lightweight
• Few services provided
• Open Source jakarta project
• Apache license

April 25, 2009 6 © 2002, Seurat Company

Struts architecture

April 25, 2009 7 © 2002, Seurat Company

Show Struts-config.xml

April 25, 2009 8 © 2002, Seurat Company

Demo Untouched Example Application

April 25, 2009 9 © 2002, Seurat Company

What is JAAS

• Interfaces and classes for standard authentication and

authorization
• Lightweight & Pluggable
• Really two separate APIs
• Authentication
• Authorization
• Which depends on Authentication
• JDK 1.3.x supplemental jar and now part of 1.4 JDK

April 25, 2009 10 © 2002, Seurat Company

Authentication

• Definitions
• Configuration
• Typical use
• Integration with example application
• Code

April 25, 2009 11 © 2002, Seurat Company

Definitions

• User
• Subject
• Principal
• Login module
• Login module set

April 25, 2009 12 © 2002, Seurat Company

Show Authentication Configuration File

April 25, 2009 13 © 2002, Seurat Company

Show Authentication Password File

April 25, 2009 14 © 2002, Seurat Company

Configuration of Authentication

• Configuration file
• Tokens in configuration file
• Required/optional/sufficient/necessary
• Can replace class that reads this file
• Tagish Login Module
• File based
• GPL
• Could write your own, see resources
• JVM awareness
• 1.3 class loader issues
• System property: java.security.auth.login.config
• java.security file

April 25, 2009 15 © 2002, Seurat Company

Typical Use

• Create LoginContext
• Login module set name
• Callbackhandler
• Interact with User
• Try to login
• May repeat if need be
• If login successful, Subject is an attribute of LoginContext
• If login unsuccessful, exception thrown

April 25, 2009 16 © 2002, Seurat Company

Integration of Authentication with Example
application

• Struts defers to adapter

• Converts exceptions to boolean
• Callbackhandler weirdness
• Struts caches Subject in session
• 377 bytes in size

April 25, 2009 17 © 2002, Seurat Company

Show Struts calling Adapter and Adapter

April 25, 2009 18 © 2002, Seurat Company

Authorization

• Caveat
• Definitions
• Java security
• Configuration
• Typical Use
• Integration with example application
• Code

April 25, 2009 19 © 2002, Seurat Company

Caveat

• This is the default authorization scheme

• It has blemishes
• Can plug in your own via java.security file, see resources

April 25, 2009 20 © 2002, Seurat Company

Definitions

• Resource
• Permission
• Three components
• Class, resource and action
• java.io.FilePermission “/tmp” “read”
• Basic permission/Permission
• Principals
• Security Manager

April 25, 2009 21 © 2002, Seurat Company

Java security model

• How many are familiar?

• Based on permissions and resources
• Code based
• Permissions granted to code based on
• a given location (jar, URL)
• Signer of code
• Permission stack
• Class A calls class B calls class C…
• JAAS extends to include Subject executing code

April 25, 2009 22 © 2002, Seurat Company

Show Authorization Configuration File

April 25, 2009 23 © 2002, Seurat Company

Configuration of Authorization

• In some respects, similar to authentication

• Configuration file
• Based on java security model.
• Subject must have every principal to access resource
• Wild cards possible
• But not null subjects
• Can replace class which reads this file
• Tell JVM where security configuration file lives
• java.security
• Multiple, unioned
• Command line: java.security.auth.policy

April 25, 2009 24 © 2002, Seurat Company

Typical Use

• Install/get security manager

• Before allowing access to resource, check with security
manager
• All java classes that guard resources do this
• Subject.doAsPrivileged(subject, object wrapper of access,
access context)

April 25, 2009 25 © 2002, Seurat Company

Integration with example application

• Treat URLs as resources

• Basic permission, but in real app would want real
Permission
• Subclass ActionServlet
• Only resources ActionServlet controls are protected
• Alternative—servlet filters
• Call off to utility class
• Special handling of login page

April 25, 2009 26 © 2002, Seurat Company

Show Struts calling Authorization Utility

April 25, 2009 27 © 2002, Seurat Company

Places to extend Authorization

• Protect not only URLs but content as well

• taglib
• Increase configuration file scalability
• Permission class that “understands” URLs
• HTTP/HTTPS delineation
• Would love an Open Source jar
• Code emphasis not repairable

April 25, 2009 28 © 2002, Seurat Company

Demo Modified Application

April 25, 2009 29 © 2002, Seurat Company

Conclusion

• On pluggability
• Situations where JAAS is a good fit
• Situations where JAAS is not

April 25, 2009 30 © 2002, Seurat Company

Pluggability

• Overused term
• 2 kinds of pluggability
• Class which reads configuration
• Configuration file itself
• Login modules
• Permissions

April 25, 2009 31 © 2002, Seurat Company

Where JAAS looks useful

• You have different authentication systems that need to look

the same
• Lightweight framework
• You have complex authentication systems
• Authorization is something you have time to rework

April 25, 2009 32 © 2002, Seurat Company

Where JAAS should be avoided

• Pre JDK 1.3 projects

• If there’s already a heavyweight framework available
• Unless you want to tackle the integration issues
• If authorization is problematic and you don’t have time to
fix it.

April 25, 2009 33 © 2002, Seurat Company

Finally

• For web applications, I feel

• Authentication is ready
• Authorization is not
• JAAS may not be good fit
• Doesn’t integrate with application servers out there
presently
• Similar to servlet specification
• Should be implemented by vendors

April 25, 2009 34 © 2002, Seurat Company

Resources

• Struts:
• http://jakarta.apache.org/struts
• Write your own login module:
• http://java.sun.com/security/jaas/doc/module.html
• Pick up some free ones
• http://free.tagish.net/jaas/doc.html
• Java security
• Java Security by Scott Oaks
• Write your own authentication system:
• http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442
• Paper this talk is based upon:
• http://mooreds.com/jaas.html
• Sample code that works with struts
• http://mooreds.com/jaas-example.tar.gz

April 25, 2009 35 © 2002, Seurat Company

Thanks

• Seurat nee XOR

• Reviewers
• Tom Malaher
• Dion Almaer
• Brian Pontarelli
• Kris Thompson
• Steven Sweeting, Clive Jones, and Aaron Rustad
• Basis of struts arch diagram

April 25, 2009 36 © 2002, Seurat Company