The current EJB (Enterprise JavaBeans) specification supports basic declarative, role-based access-control mechanisms, but provides limited support for coding application-specific security checks. Moreover, it doesn't define any way to factor out access-control code from business logic, or to integrate external authorization services. The open source, J2EE-compliant (Java 2 Platform, Enterprise Edition) JBoss application server features a protection-proxy security architecture that will help you overcome these restrictions. (4,500 words; February 15, 2002)
2. Integrate security infrastructures with JBossSX
The current Enterprise JavaBean and Servlet specifications omit integration between the application server and existing security infrastructures. This article describes how version 2.4 of the open source JBoss application server security extension project (JBossSX) uses Java Authentication and Authorization Service (JAAS) login modules as its integration API. JAAS allows for integration without programming, using security infrastructures that use Java Database Connectivity, the lightweight directory access protocol (LDAP), or properties-based login modules bundled with JBoss. For security infrastructures that do not support those access mechanisms, integration entails writing a simple custom login module. (5,900 words)
