Sunday, April 14, 2013

Learning JAAS is real frustrating.

It has been a long time for me to figure out how could I develop a login module for an application? I have already spent so much time digging JAAS in Google until I got this one tutorial, a very nice and easy to hands on tutorial, which I think could give some hints for those who is serious about JAAS. Learning is a step by step process, without going too far, start from Helloworld and then gradually move on to Hollywood. I have come across the problem on learning JAAS. I have collect 4 frustrate point on this JAAS thing during my learning.

Frustrate point 1: What is the value should I pass in LoginContext's first param?
The very first step in JAAS is to create a LoginContext, and this context will always required a name among the overloaded constructors to be pass in. Interestingly the documentation didn't state clearly that this parameter is actually the entry name from the login configuration file. Still confuse where is the name? The contents of login configuration file will have something like this:

< entry name >
< LoginModule > < flag > < LoginModuleOption >

The entry name is the value I should pass into the first parameter of LoginContext.

Frustrate point 2: What is the LoginModule in login configuration file as seen above?
I know the configuration can have multiple entries, each of the entry must have an entry name. Underneath this tag will be the LoginModule. Is this simply a name or what?

The documentation didn't clearly mention that this is actually the class that you and me and every programmer must provide in order to complete the login module. This custom LoginModule is simply a class which extend the LoginModule's implementation. Meaning this is my responsibility to complete the class. The flag is require field, skipping this field will have configuration error at runtime. There has been a discussion raise in StackOverflow on LoginModule flag. LoginModuleOption is additional flag that is require for the login module to process but not necessary.

Frustrate point 3: What if I execute my program without login configuration file?
No. This will cause configuration error at runtime. Look at how LoginContext constructor is document, there is no way for me to skip the name parameter. I must always pass in at least one valid entry name into LoginContext constructor.

Frustrate point 4: I have the configuration file, but why there are still configuration error?
The configuration is not load by default, and it is not even load automatically when the program run. Three way to load the configuration file:

1. Use -Djava.security.auth.login.config command line argument. This is the most common practical way that every programmer do.
2. Configure the login configuration path in java.security under the JDK_install_apth/jre/lib. This is a sound of good programming practice.
3. Use System.setProperty("java.security.auth.login.config", "jaas.config") right inside the program.

No comments: