{% set baseFontFamily = "Open Sans" %} /* Add the font family you wish to use. You may need to import it above. */

{% set headerFontFamily = "Open Sans" %} /* This affects only headers on the site. Add the font family you wish to use. You may need to import it above. */

{% set textColor = "#565656" %} /* This sets the universal color of dark text on the site */

{% set pageCenter = "1400px" %} /* This sets the width of the website */

{% set headerType = "fixed" %} /* To make this a fixed header, change the value to "fixed" - otherwise, set it to "static" */

{% set lightGreyColor = "#f7f7f7" %} /* This affects all grey background sections */

{% set baseFontWeight = "normal" %} /* More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set headerFontWeight = "normal" %} /* For Headers; More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set buttonRadius = '40px' %} /* "0" for square edges, "10px" for rounded edges, "40px" for pill shape; This will change all buttons */

After you have updated your stylesheet, make sure you turn this module off

Consider Using JAAS for Authorization

by Serge Truth on August 9, 2011

AuthorizationApplies to

Applications written using Servlets or JSP.

What to Do

Consider using Java Authentication and Authorization Services for authorization.


As part of Java's security model, JAAS is proven to work with stand-alone and web-based applications. JAAS is fully integrated into the Java platform and requires minimal overhead when deploying within stand-alone and web-based applications.


If your application uses access control and authorizes its users to determine which roles can gain access to which resources, then consider using JAAS rather than devoting resources to creating your own design.


To authorize using JAAS:

  1. Create a JAAS policy. The JAAS policy stores the rights associated with the different types of users. It is loaded into the Java Virtual Machine (JVM) by using the -Djava.security.auth.policy flag when loading the JVM instance that hosts your application. The JAAS policy can be created using a typical text editor or the Java Policy Tool. An example policy file looks like:

    grant Principal application.auth.UserToken "joe"
    permission java.security.SecurityPermission "AccessApp";

    To provide extra flexibility in managing access controls, JAAS allows an application to append additional permissions to the current JAAS policy as well as to fully modify the JAAS policy during runtime.

    • Appending to the JAAS policy: To append additional permissions, the application component that is responsible for modifying the policy must have a getPolicy permission granted within the application's security policy. 

      Example of appending additional permissions to a given user:

      CodeSigner[] csign = null;
      CodeSource csource = new CodeSource(null, csign);
      Principal[] principals = new Principal[1];
      principals[0] = new application.auth.UserToken("joe");
      ProtectionDomain pDomain = new ProtectionDomain(csource, null, null, principals);
      java.security.Policy policy = java.security.Policy.getPolicy();
      PermissionCollection permCollect = policy.getPermissions(pDomain);
      SecurityPermission secPerm = new SecurityPermission("ModifyUser");
    • Amending the JAAS policy: To amend the policy, the application component responsible for modifying the policy must have a setPolicy permission granted within the application's security policy. Example:

      java.security.Policy policy = new ApplicationPolicy();

      // Add the appropriate permissions


      Note that the ApplicationPolicy class is a custom implementation of Java's abstract Policy class. For more information, please consult the documentation for Policy Class in the Java SDK.

  2. Implement the PrivilegedExceptionAction. The PrivilegedExceptionAction invokes the authorization process. Using the Java Security Manager, the application verifies whether the current user is allowed to perform the desired task. Example:

    import java.security.*;
    import javax.security.auth.*;
    public final class AuthException implements PrivilegedExceptionAction
    private String name;
    public AuthException(String name)
    // Set the name of the requested action
    this.name = name;
    public Object run()
    Permission perm = new SecurityPermission(name);
    SecurityManager secMan = System.getSecurityManager();
    if(secMan == null)
    secMan = new SecurityManager();
    return null;
  3. Enforce the JAAS policy. Because JAAS is an entity-oriented model, it requires the impersonation of users when performing authorization. As such, the application impersonates the user when trying to perform a given task. If the user does not have sufficient permissions, the Java Security Manager will throw a security exception. Example:

    PrivilegedExceptionAction action = new AuthException("NameOfAction");
    Subject.doAsPrivileged(subject, action, null);

Topics: developer guidance, application security

Most Recent

What's Trending

Featured Resource