问题
I'm new to Java EE development however I'm going well in it, I'm a bit confused with the security part of my application.
I have read a few articles on how I can implement JAAS security in my Java EE web application. This is what I read & understood, all he others were unclear: http://uaihebert.com/user-login-validation-with-jaas-and-jsf/
The example is great and all but it configures the JBoss server, Im not using JBoss and I'm not intending to. If I were to use JAAS do I need to configure the local web server I'm running (developing) on? Perhaps there are some things I don't really understand about JAAS? And if I were to follow that example and use JBoss and configure it as they did. when I deploy my web application as a war file, and I uploaded the war file lets say on a tomcat server, will it still be secured?
Any help/guidance would be extremely appreciated! Thanks!
回答1:
JAAS security doesn't exist in Java EE. JAAS is a Java SE framework to secure resources at the class level. You use this for limiting what code that you downloaded (like Applets) can do on your computer.
With Java EE the situation is reversed. You don't download unknown code for a single user (you on your computer), but unknown users log in to your code (that you run on a server).
Some confusion happens because a few servers use the term JAAS for the server specific implementation of what's lately called "identity stores" (the things that store users and roles like ldap).
But:
- Only an embarrassing small part of JAAS is used (some types like LoginModule)
- Servers that claim to use JAAS all do it in such different way that you only wonder why they bothered with it to begin with
- By far not every server uses JAAS. Tomcat, Jetty, Resin, Liberty, and WebSphere don't use it at all.
来源:https://stackoverflow.com/questions/36202590/is-jaas-security-in-java-ee-based-web-application-server-dependent