jaas

Part A: Role vs RoleGroup Can someone explain the difference between a Role and a RoleGroup in the jboss DatabaseServerLoginModule ? I'm confused after looking at the examples in the JBoss 6 documentation One area of confusion is when they describe the logical tables the user to role mapping table has three columns: Table Principals(PrincipalID text, Password text) Table Roles(PrincipalID text, Role text, RoleGroup text) But the example they offer only uses two columns: CREATE TABLE Users(username VARCHAR(64) PRIMARY KEY, passwd VARCHAR(64)) CREATE TABLE UserRoles(username VARCHAR(64),

In Spring Security am using DefaultJaasAuthenticationProvider Configuration for login authentication with linux username/password. JpamLoginModule is used for authentication. I am successfull with authentication but i had problem in authoriztion(ROLE_USER,ROLE_ADMIN), am getting HTTP Status 403 - Access is denied Error. Following Configuration i used in spring-security.xml <security:authentication-manager> <security:authentication-provider ref="jaasAuthProvider" /> </security:authentication-manager> <bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas

When developing a Web service(Hospital Management System) using Java EE, is it necessary that for each Web Service call, it has to be checked that the user is logged in?? Which authentication method is the best JAAS, WS-Security, SAML, or a combination or using own tokens ?? It all depends on how is your web service implemented/or its going to be. If you still have a choice I would recommend going with REST approach, authenticate the user with some kind of login functionality and then maintain users session. Timo89 You can use filters. Here's an example of how to use filters: http://viralpatel

I'm trying to run code within JBoss Container under a different authentication by programatically logging in a user like that (stripped exception handling): LoginContext ctx = ctx = new LoginContext("MyLoginSchema", new UsernamePasswordCallbackHandler("newuser", "") ); ctx.login(); Subject.doAs(ctx.getSubject(), new PrivilegedAction<T>() { @Override public T run() { Subject.getSubject(AccessController.getContext()); InitialContext ic = new InitialContext(); EJBContext sctxLookup = (EJBContext) ic.lookup("java:comp/EJBContext"); Principal principal = sctxLookup.getCallerPrincipal(); } }); Login

In javax.faces.webapp.FacesServlet docs, it is mentioned, Allowable HTTP Methods The JSF specification only requires the use of the GET and POST http methods. If your web application does not require any other http methods, such as PUT and DELETE, please consider restricting the allowable http methods using the <http-method> and <http-method-omission> elements. Please see the Security of the Java Servlet Specification for more information the use of these elements. My application indeed does not depend upon other HTTP methods (except GET and POST ). Therefore, I am trying to use <http-method>