Enterprise Java Community: The Power of JAAS: Security System Alternatives

Enterprise Java Community: The Power of JAAS: Security System Alternatives

Purpose

I attended the CIO Forum a several months ago and sat in on a presentation on Identity Management, which is considered by C-level executives one of the hot technologies. From a C-level executive’s perspective, this presentation falls generally under the domain of Identity Management. At the Forum, the speaker briefly discussed RBAC (Role Base Access Control) and anecdotally mentioned that it is a “hard nut to crack.”

This article is an extension of a recent article I published on TheServerSide.com, Exploring J2EE Security for Applications using LDAP. That article identified key interfaces within a J2EE compliant application server that need to be configured in order to build secure applications focusing on RBAC, which is an integral part of Identity Management.

However, the article did not discuss, in detail, alternatives to using LDAP directly for Java Authentication and Authorization Service (JAAS) security, such as a Trust Association, one of the more popular system alternatives. Essentially, the power of JAAS is in its ability to use almost any underlying security system. One of those approaches is to use a Trust Association Interceptor (TAI) instead of direct LDAP access.