I haven’t been looking forward to writing summaries for each chapter. I rarely read the summaries in books, so they seem like filler to me. But, I understand that they’re quite needed.

And, after having written them up, they do provide a nice, quick overview of the book when they’re smashed together.

We still have 2-3 more chapters to write, plus appendixes and “front matter” and “back matter” (HEY-OO! MATTER! HO-HO! YES!). Here’s the summaries (I gotta get some blog action out of all that typin’!):

Chapter 1: Introducing JAAS

Our first encounter with security in Java began with the need to
provide a secure web application for accessing employee
information. With that problem at hand, we started exploring the broad
topic of Java security, and narrowed down to the Java Authentication
and Authorization Service, or JAAS. We introduced JAAS’s primary
concepts and classes: permissions, policies, and the service layers
needed to enforce the granting of permissions. While we dipped our toe
into the code-waters of JAAS, our discussion remained fairly
high-level so that we could establish the domain needed to dive into
the code.

Chapter 2: Getting Started with the Java Authentication and
Authorization Service

With the astronaut’s- and bird’s-eye views of security and Java
security, we further brought the discussion down to the worm’s-eye
view of JAAS in this chapter. Our discussion included an overview of
core classes in JAAS such as Policy, Permission, Subject, and
Principal. We discussed the roles of each class and spent time
decomposing them into their parts. Without too much detailed
discussion, which we’ve saved for the upcoming chapters, we went over
on short example of using JAAS to give you a basic sense of both how
JAAS works and what JAAS-enabled code looks like.

Chapter 3: Authentication

This chapter introduced the JAAS classes used to authenticate, or “log
in” users. In the opening sequence diagram, and following discussion,
we saw that the LoginContext is used as a controller to coordinate the
use of the other classes such as Configuration, LoginModules, and as
the glue for putting together the other authentication classes. We
also covered LoginModule’s life-cycle in-depth and provided a simple
example of implementing a LoginModule. Finally, we discussed some of
the finer the methods available on Subject, along with how and why you
might use them.

Chapter 4: Database Backed Authentication

While the previous chapter introduced the domain classes that compose
JAAS’s authentication services, this chapter demonstrated a way to
customize those classes to create a database backed authentication
layer. First, we went over one way to store the components of the
Configuration object in the database, allowing you to more dynamically
specify the LoginModules required to authenticate users. Next, we
covered one way to implement database backed Subjects and their
Principals. Finally, to perform the actual authentication, we created
a custom LoginModule that used the database to perform credential
verification and, if the Subject successfully logged in, add the
appropriate database backed Principals to the Subject.

Chapter 5: Permissions and Access Control

We’ve introduced the primary classes that compose JAAS’s authorization
services. In doing so, we’ve gone over a detail discussion of JAAS’s
core authorization classes:

• The permission classes Permision, PermissionCollection and the
  heterogeneous Permissions container.
• ProtectionDomain which is used to describe the permissions granted
  to a Subject and/or grouping of code.
• The SecurityManager and AccessController which provide the core
  services layer for enforcing permission checks. Also, the special
  doAs() methods on Subject that allow you to create Subject based
  access contexts.
• The Policy, which provides the service interface for determining
  which permissions are granted to which Principals, and thus, which
  Subjects.

In the next chapter(s) we’ll use several of these classes to
develop a database backed, dynamic Policy.

Chapter 6: A Custom Policy

This chapter demonstrated integrating JAAS’s authorization
functionality with a database. To accomplish this goal, first created
a CompositePolicy class that allowed us to use multiple Policys at the
same time. Next, we created a custom Policy implementation that was
backed by a database rather than a flat file. Using a database instead
of the flat files allows your application to more easily specify
Permissions at runtime and provides an easier way to maintain all of
the Permission grants in your system than flat files allow for.

Chapter 7: Authentication Base Classes

As we’ve seen in previous chapters, JAAS is composed of several
interfaces and base classes that you’ll find yourself implementing and
extending again and again. Unless you have a set of base cases to take
care of the repetitive, but needed basic code–such as toString(),
equals(), and hashCode()–you’ll end up implementing the same
functionality several times over. The base classes provided in this
chapter for Principals, credentials, CallbackHandlers, and Permissions
provided this set of base classes, allowing you to focus on the
business logic of your application’s security instead of the tedious
plumbing.

Chapter 8: JAAS for Data Access Control

This chapter provided a concise example of using JAAS for data access
control. When you’re restricting access to specific instance of object
or data, not just general, system-wide actions, you’re doing data
access control. For our example, we created a small data object that
represented a Record, and a service layer, RecordKeeper, that
performed persistence and lookup of and for that data object. Also, we
created a custom Permision, RecordPermision, that was used by
RecordKeeper to restrict the actions of creating, reading, updating,
and deleting specific Records. As the demonstration at the end of this
chapter showed, this powerful, yet simple model allowed us to easily
control access to each individual Record.

Chapter 9: JAAS in Web Applications

With a good understanding of JAAS under our belts, we were ready to
start using JAAS in a web application. The first step using JAAS in a
web application was modifying the application’s web.xml file to enable
authentication. Once authentication was enabled, we learned how to
customize the different JSP pages used by the web container to log a
user in and display error messages. With the configuration under our
belts, we went over two simple ways to secure parts of any web
applications: URL access restrictions and a custom tag library that
conditionally displays it’s JSP body according the roles the logged in
Subject has.

Chapter 10: Extending JAAS Integration in Web Applications

This chapter introduced several ways to use JAAS to secure a web
applications. First, we used a ServletFilter to get the authenticated
Subject from the web container. Once we had the Subject, we could wrap
an entire request in a privileged filter, allowing the code to execute
as the requesting Subject. Finally, we implemented two tags that
conditionally show their JSP bodies if the appropriate Permission has
been granted to the logged in Subject. With each of the above, you can
easily use JAAS to secure any web application.