Stack Overflow
Stack Overflow

Questions tagged [jacc]

JACC (Java Authorization Contract for Containers) is a spec that allows plugging in providers to handle the security decisions for a j2ee application server.

The Java Authorization Contract for Containers (JACC) is a specification that is introduced in Java 2 Platform, Enterprise Edition () version 1.4 through the Java Specifications Request () 115 process. This specification defines a contract between J2EE containers and authorization providers.

The contract enables third-party authorization providers to plug into J2EE application servers to make the authorization decisions when a J2EE resource is accessed. The access decisions are made through the standard java.security.Policy object.

16 questions
154
votes
1 answer

How can a JACC provider use the Principal-to-role mapping facilities of the server it's deployed on?

I am writing a JACC provider. Along the way, this means implementing a PolicyConfiguration. The PolicyConfiguration is responsible for accepting configuration information from the application server, such as which permissions accrue to which roles. …
Laird Nelson
  • 12,770
  • 15
  • 64
  • 105
15
votes
1 answer

In simplest terms, can anyone explain to me the difference between JAAS, JACC and JASPIC?

I'll be honest. I've been a developer for a quite some time now but its the first time I've heard of JACC ans JASPIC. I understand that they are standards used by authorization providers, but how exactly to they differ from JAAS? and when would we…
Hingle McJingleberry
  • 481
  • 2
  • 16
5
votes
1 answer

Implement JACC provider

I need to support authentication and authorization from different systems. Im using Jboss AS 7. Regarding authorization I have very detailed permission rules for the current system. As I realized I have to write my own PolicyConfiguration in order…
Kinga Szabo
  • 51
  • 2
4
votes
1 answer

Custom isUserInRole implementation with RDBMS

I'm developing a Java EE 6 applications using Glassfish 3.1.1 as my app server. I'm using declarative and programmatic security. I've defined several roles at my deployment descriptor, and defined all security constraints. I was using JDBCReal, and…
user1232579
  • 63
  • 1
  • 5
4
votes
2 answers

Glassfish @RolesAllowed with custom SecurityContext

The question i'm about to ask is a bit tricky and I haven't found any answer yet. Maybe because i'm looking for the wrong thing. But i hope you will help me on this. I used the following tutorial to implement a custom SecurityContext that uses…
mrik974
  • 443
  • 1
  • 7
  • 16
4
votes
1 answer

Get HttpSession/Request in a JAAS Login Module

I'm trying to obtain the HttpSession or Request in my Login Module. I already tried JACC, but it didn't work. I need this because I have to put a captcha in a login window. Maybe some JAAS ninja knows a better way to do that. I'm using kaptcha to do…
user1554562
  • 41
  • 1
  • 3
3
votes
0 answers

Glassfish Security - jdbcRealm: How to implement "remember-me"

I'm using jdbcRealm with Glassfish V3 and Java EE 6 and I want to implement a cookie based "Remember-Me". But, it seems that I cannot set a filter before the JACC security checking. Any Ideas?
rock
  • 31
  • 2
3
votes
1 answer

EJB 3.1 - implementation of javax.security.auth

As I understand javax.security.auth is an API for authentication and authorization. I understand that security should be implemented by the container provider and the bean-provider can just use it in his bean my simple annotations…
Bala
  • 1,173
  • 2
  • 11
  • 32
2
votes
1 answer

IllegalArgumentException: No handler can be found for the key 'javax.security.auth.Subject.container'

I am basically following this tutorial: https://www.ibm.com/developerworks/java/library/j-javaee8-security-api-4/index.html?ca=drs- My development environment: TomEE 8.0 M1 Plume pom.xml
ThanhLoyal
  • 303
  • 1
  • 11
2
votes
1 answer

JAAS & JACC: How do I kick a user out?

We're currently adopting JAAS and JACC using JBoss EAP 6.4/7.0. Just a brief explanation on how we are applying things: we use HttpServletRequest.login(...) to authenticate subsequently, we use HttpServletRequest.logout() to log out. we have a…
Matthew Cachia
  • 3,590
  • 1
  • 11
  • 15
2
votes
0 answers

Java EE Security Concept

I need to create an application with authentication and authorization using Java EE 6 (Glassfish Server). I read a lot about Java EE 6 security and just wanted to ask if my concept is correct: Every user in the company has an account according to…
matthias
  • 1,596
  • 13
  • 35
1
vote
2 answers

How to retrieve permissions from web.xml

I would like to know if there is a better way (without reflection) to get the java.security.Permissions for a specific URL and Role. for example: boolean canAccess = SecurityController.isAllowedToAccessUrl("/pages/confirmOrders.action",…
Dave Weernink
  • 91
  • 8
1
vote
1 answer

AuthenticationStatus return NOT_DONE when use a custom form and a basebase identity store

I have spent days on updating myself to Java EE 8, there is a problem I'v encountered when used @CustomFormAuthenticationMechanismDefinition and @DatabaseIdentityStoreDefinition together. I am using Glassfish v5, NetBeans 9 nightly and Java 8. What…
Hantsy
  • 4,075
  • 3
  • 28
  • 61
1
vote
0 answers

JBoss EAP PolicyContext.getContext returns null

I'm in the process of upgrading from JBoss EAP 6.4 to 7.1 but I am experiencing some technical issues regarding the management of the Subject. Some context My application is an EAR file containing: a web module several EJB modules bearing stateless…
Matthew Cachia
  • 3,590
  • 1
  • 11
  • 15
0
votes
1 answer

EJB security custom JACC provider

our project has a very detailed authorization pattern so i had to implement my own JACC provider. now i have a problem with EJB security. i have an EJB method and i want to limit access to it based on its argument values for example consider the…
arash
  • 927
  • 1
  • 13
  • 30
1
2