{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 该账号已被封号 的问题《Is JAAS security in Java EE based web application》','https://www.manongdao.com/q-833822.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm new to Java EE development however I'm going well in it, I'm a bit confused with the security part of my application.
I have read a few articles on how I can implement JAAS security in my Java EE web application. This is what I read & understood, all he others were unclear: http://uaihebert.com/user-login-validation-with-jaas-and-jsf/
The example is great and all but it configures the JBoss server, Im not using JBoss and I'm not intending to. If I were to use JAAS do I need to configure the local web server I'm running (developing) on? Perhaps there are some things I don't really understand about JAAS? And if I were to follow that example and use JBoss and configure it as they did. when I deploy my web application as a war file, and I uploaded the war file lets say on a tomcat server, will it still be secured?
Any help/guidance would be extremely appreciated! Thanks!
JAAS security doesn't exist in Java EE. JAAS is a Java SE framework to secure resources at the class level. You use this for limiting what code that you downloaded (like Applets) can do on your computer.
With Java EE the situation is reversed. You don't download unknown code for a single user (you on your computer), but unknown users log in to your code (that you run on a server).
Some confusion happens because a few servers use the term JAAS for the server specific implementation of what's lately called "identity stores" (the things that store users and roles like ldap).
But: