JAAS in Java2 1.4+ - JAAS Security on the BEA Weblogic server 7.x



Concept/intro

You should already have read the previous JAAS authentication example and now be familier with the most fundamental JAAS issues.

At the moment I will not get into a source example here - since it's virtually impossible to do security properly in the BEA Weblogic server without use of propritary BEA concepts... making the code non-portable to other servers.

JAAS login in BEA Weblogic server differs significantly from previous examples as it use the BEA concept known as "security providers". This is a pluggable security concept, where it is possible to have several validation processes during a login.

Also BEA Weblogic implements a number of classes in their own propritary java package structure, which handles the actual security during JAAS.

There are docmentation on the beasys site. Specificly you may find JAAS documentation. There used to be a full security provider example on the dev2dev site ready to run-out-of-the-box. Normally listed under code section as source code for sample Security Providers for WLS 7.0 SP1. Notice, everything is (c)copyrighted by BEA.com etc. etc. I've tried implementing the source code for sample security provider and found that the online creation of realm didn't always work (or for a fellow collegue). But the ant script'ing setup works well. Once installed, you may change the LoginModule to suit your own authentification needs.

With others, I've tried to adapt the WLS 7.x security provider concept to a full authorisation and authentication backbone in a largescale EJB application. Using XDoclet to generate deployment config files for the beans.

You can find a similar a href="http://dev2dev.bea.com/codelibrary/code/security_prov81.jsp"> Sample Security Providers for WLS 8.1 which should run under later versions. Not much changes to the concepts though. The upgraded source code for sample Security Provider may be downloaded freely.

In the BEA Weblogic Server version 4.5.1 and 5.1 (which I previously have worked a several years with), the realm was a completely propriary thing. Fortunately, this was changed for the better in BEA Weblogic Server 6.x+