Sunday, June 2, 2013

JAAS is not for human being

I have spend quite a number of months on this JAAS topic already, but at last I am still failed to configure it on the web project. I have been trying so hard to get it work, and have read tons of resources on the configuration, and now I damn tired with this JAAS (on the web). During this experiment, I found out that JAAS is just a low level security framework to secure the resources beyond the web application level. It just too low until the level that I am require to configure it in the server. Frankly speaking, such a low level configuration isn't my favorite due to its maintenance effort.

Take for example, I'm required to put the following code in catalina.policy under <tomcat_dir>/conf:

export JAVA_OPTS=-Djava.security.auth.login.config==$CATALINA_HOME/conf/login.config

I found this is so not programmer friendly when come to development. Anyhow there is a workaround, put the following code inside the Eclipse's server launch configuration under the VM arguments:

-Djava.security.auth.login.config= "&It;tomcat_dir>\conf\login.config"

Launch the server will see my expected login page, type in the correct username and password, the browser will redirect me to HTTP Status 403 - Access to the requested resource has been denied.

What else do I miss configure? I think I will just forget about JAAS thing since Spring Security can achieve my objective easily.

No comments: