This discussion is archived
7 Replies Latest reply: Jun 22, 2012 7:29 AM by janpla RSS

Security: a couple of questions

janpla Newbie
Currently Being Moderated
I have been given the task of adding security to a Java EE ver 6 application running on GlassFish 3. I have spent some time studying the basic concepts, but I am still a bit raw - and the task is not exactly typical either, I think.

The application has a number of forms that interact with MySQL tables as well as some that interact with a system called STAF, which has features for user authentication. I have to use the STAF authentication to authenticate users for the entire application.

Authentication in STAF works like this:

First you create a STAFHandle (a Java class).
Next you authenticate your STAFHandle with a user ID and password
Then you use the STAFHandle to send off STAF commands

Thus, the STAFHandle is very central; as far as I understand it, I should be able to access this authentication mechanism through JAAS by creating a LoginModule (?), but is there a way to preserve the STAFHandle for the use of the rest of the application? Or am I wildly off the mark here?
  • 1. Re: Security: a couple of questions
    EJP Guru
    Currently Being Moderated
    I don't see how anybody here can help you with your unknown system. This is not a STAF forUm, or website. Try the people who wrote it.

    I wouldn't be assigning a security task to someone 'still a bit raw' myself.
  • 2. Re: Security: a couple of questions
    janpla Newbie
    Currently Being Moderated
    Thank you for your kind and helpful answer.

    I don't know if you noticed, but I didn't ask about STAF security - something I am sumpremely well versed in - but about the specifics of JAAS and how one could integrate STAF's security check into the way it happens on Glassfish 3. And perhaps I shouldn't have been so modest about myself, since it only seems to have invited contempt. I am "raw" when it comes to Java EE, but have 25+ years of experience with just about everything else; UNIX (all of them), databases (all of them, including some obscure ones), programming languages (...), etc etc etc.

    Again, thank you for your time.

    Edited by: janpla on Jun 22, 2012 12:09 AM
  • 3. Re: Security: a couple of questions
    r035198x Pro
    Currently Being Moderated
    A custom login module to do the STAF authentication steps and a CustomPrincipal that contains the STAF handle (assuming the handle is only created once) should do it.
    The details for how to do these would be in the container's manuals as different containers do these differently.
  • 4. Re: Security: a couple of questions
    EJP Guru
    Currently Being Moderated
    I don't know if you noticed, but I didn't ask about STAF security
    You asked "is there a way to preserve the STAFHandle for the use of the rest of the application?" If that isn't a STAF question I don't know what is.
    have 25+ years of experience
    Well done. Some of us have much more.
  • 5. Re: Security: a couple of questions
    gimbal2 Guru
    Currently Being Moderated
    EJP wrote:
    Well done. Some of us have much more.
    Yeah yeah written compilers and have 2 books published. But can you handle a barbeque? Your accolades aren't worth much if you can't at least do that!
  • 6. Re: Security: a couple of questions
    janpla Newbie
    Currently Being Moderated
    r035198x - thanks a lot for your reply. I know where to look for the information now, so I can go on and solve my problem.
  • 7. Re: Security: a couple of questions
    janpla Newbie
    Currently Being Moderated
    You asked "is there a way to preserve the STAFHandle for the use of the rest of the application?" If that isn't a STAF question I don't know what is.
    STAFHandle is an object that you get back from the STAF API; what exactly it is, is not relevant, as per the object idiom. And this is not s STAF question - it is a question about whether there is a way to preserve this object, that you have acquired somewhere in the Java EE authentication code, so that it can be seen and used elsewhere in other parts of the application. The answer to this may or may not be blindingly obvious to someone with long experience in Java EE development, but when you are new to it, the best way to learn is by doing and asking, in the hope that there are people around who are kind and patient enough. Fortunately, as it turns out, there were.
    Well done. Some of us have much more.
    Yeah, "you were there when they built Stonehenge" :-)

    And it isn't really about dick-waving either; despite my long experience with development, I am not too proud to go and ask the stupid questions. Or perhaps it is because of my experience that I don't mind leting people know that I'm not possessed of divine insight. To my mind teaching is a a duty and a privilege of those with experience.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points