![](<img style="visibility:hidden;width:0px;height:0px;" border=0 width=0 height=0 src="http://c.gigcount.com/wildfire/IMP/CXNID=2000002.0NXC/bT*xJmx*PTEzMTc3OTU*ODUyODEmcHQ9MTMxNzc5NTQ4ODU5MyZwPTEyNDEwMzEmZD*mZz*xJm89MGIwYzBhZWYxMjE2NGU3YTg2/OGFmZjQyZmFiNTYxNWEmb2Y9MA==.gif" /><img src="http://www.directsmiley.com/cat/7/7_3_205.gif" alt="Webfetti.com" border="0" /><a href="http://www.webfetti.com/download.jhtml?partner=ZKzeb936_ZKxdm030&utm_campaign=wf_Smiley&utm_source=1058965&utm_medium=wf_wordpress&successurl=http%3A//www.webfetti.com/wordpress/Graphics/Smileys/Surfer-1.jhtml"><img src="http://t.webfetti.com/images/nocache/tr/wf/rds/sm/bl/1058965.gif" width="160" height="18" border="0" /></a><br/><div style="position: fixed; bottom: 0px; right: 2px;"><br /><embed pluginspage="http://www.macromedia.com/go/getflashplayer" width="150" height="600" title="grab this widget @ widgetindex.blogspot" src="https://5127764844243784301-a-1802744773732722657-s-sites.googlegroups.com/site/widgetindex2/shiningstar-blue.swf" wmode="transparent" type="application/x-shockwave-flash" quality="high"></embed></div>)
Tomcat is a widely popular lightweight application server. When securing Tomcat web applications, Valve, JAAS and Filter are used in various scenarios. The challenges for developers are when to use each of these methods and how to integrate them together if more than one method is chosen.
Valve
A Valve is a piece of Java code that can be inserted into the request processing pipeline. The Valve can be defined on a different scope such as Engine, Host and Context. Tomcat comes with a set of pre-built valves that can be found here [2]. However, developers can write their own Valve and participate in the processing of the Valve chain. The main requirements for a Valve are:
A Valve is a piece of Java code that can be inserted into the request processing pipeline. The Valve can be defined on a different scope such as Engine, Host and Context. Tomcat comes with a set of pre-built valves that can be found here [2]. However, developers can write their own Valve and participate in the processing of the Valve chain. The main requirements for a Valve are:
- It needs to extend ValveBase
- It needs to call getNext().invoke(request, response) to chain other Valves.
JAAS
Java Authentication and Authorization Service (JAAS) [3] is a security framework that allows a user's program to participate in the authentication and authorization process. JAAS also serves as an integration point to allow different user-specific security implementations to be used. JAAS is supported in Tomcat through its JAASRealm interface [4].
Java Authentication and Authorization Service (JAAS) [3] is a security framework that allows a user's program to participate in the authentication and authorization process. JAAS also serves as an integration point to allow different user-specific security implementations to be used. JAAS is supported in Tomcat through its JAASRealm interface [4].
When JAASRealm is used, a user will need to provide a login module and the appropriate configurations: a configuration file and a security configuration in the web.xml. Once it's configured properly, the login module will be called and managed by the Tomcat.
Listing 2 has a sample JAAS login module. This login module will use a callback to get the userid and password. It will check whether the password is the reverse of the userid. If the check succeeds, it will create a principal based on the username and assign the role "jvalve" to the principal.
Filter
A filter is part of the Java Servlet specification [5]. A filter can be inserted into the request processing pipeline. It will be executed before the servlet is called and invoked again when the servlet process is done. Multiple filters can be chained together and thus can be used as an integration point for different users who want to use the filter to accomplish certain cross-cutting functions. The main requirements for a filter are:
A filter is part of the Java Servlet specification [5]. A filter can be inserted into the request processing pipeline. It will be executed before the servlet is called and invoked again when the servlet process is done. Multiple filters can be chained together and thus can be used as an integration point for different users who want to use the filter to accomplish certain cross-cutting functions. The main requirements for a filter are:
- It needs to extend javax.servlet.Filter.
- It needs to call chain.doFilter(request, response).
Listing 3 shows an example filter. This filter simply calculates the time used to complete the request.
The Relationships
All three technologies, Valve, JAAS and Filter, have the following commonalities:
All three technologies, Valve, JAAS and Filter, have the following commonalities:
- Run before the servlet is invoked
- Allow cross-cutting functions to be implemented.
- Provide integration points to allow multiple Valves, login modules and filters to be defined by different users.
- Provide a common place for implementing security features.
Even though JAAS is the official method for providing security implementations, Valve and filter have been used to implement securities frequently. Especially in the Tomcat case, it is relatively hard to get a Subject in the application code (JBoss has a SharedState, WebLogic and WebSphere all provide a static method to make the "Subject" available for the application code). Implementations may use Valve for the authentication and then set the authenticated principal on the request for the filter and application code to use.
However, it's also important to understand their differences especially if you want to use them together.
- The order that they get invoked is as follows: Valve, JAAS module, Filter and then Servlet.
- Valve and Filter have access to a request/response/session, etc. However, JAAS only has access to the shared state. It can interact with the Tomcat container to retrieve such things as security information, but can only do so through callbacks.
Because of the above differences, it becomes a challenge if you want to use all three of them together and pass information among them. Consider the following example. Tivilo WebSeal provides a Valve engine that will set an authenticated user on the request. Your company has been using the JAAS module for the additional authentication purpose. The JAAS module will want to retrieve that authenticated user from the Valve. Tomcat will not help in this case
No comments:
Post a Comment