JDBCRealm with JPA

Question

New to Java EE6 and I'm trying to set up a JDBCRealm. Many of the examples suggest making the tables that hold user/group information by hand in SQL.

Is there a more standard "JPA" way of doing it though? The tables Glassfish expects don't fit with the kind of table structures you'll end up with if you use e.g. a OneToMany mapping (which is what I was hoping I could use).

I read Glassfish still uses JDBC to accomplish the JDBCRealm, which would explain why. And I came across this blog which suggests a way to do it with JPA.

http://www.codeproject.com/Articles/238779/J2EE-JDBC-based-authentication-with-JPA-Entities-i

But is there an 'official' way to do it with JPA? I want to make sure I follow best-practice to ensure I have a secure application.

Thanks

Regardless of your ultimate solution, you should probably avoid JDBCRealm in a production system. If it hasn't changed since the fork from Apache Tomcat, then it's still single-threaded and therefore all credential checks, etc. will be serialized. At least use DataSourceRealm and allow Glassfish to use a connection pool. — Christopher Schultz, May 15 '12 at 21:36
Thanks Christopher. If that's the best current way to do auth then I'll go with your suggestion. Had not heard of DataSourceRealm. kinda re-learning Java so want to make sure I'm doing everything the right way (as up-to-date as possible). — Richard, May 15 '12 at 22:41
I see DataSourceRealm on the JBoss website, but not much about it on the Glassfish one. Is it the best way forward for JDBC-based authentication? — Richard, May 17 '12 at 20:17
I'm thinking of using FlexibleJDBCRealm now. Has anyone used it? http://flexiblejdbcrealm.wamblee.org/site/ — Richard, May 17 '12 at 21:22
I got FlexibleJDBCRealm working after I added a bounty. Always happens..! I was just not creating the realm in the correct server configuration. I created it in 'server-config' rather than 'default-config'. It needs to be in 'default-config'. The instructions on the website are correct. This is MUCH better than the JDBCRealm because my tables are generated by JPA so do not match the structure required by JDBCRealm. — Richard, May 20 '12 at 17:10

score 5 · Accepted Answer · edited May 23 '17 at 11:45

A few months ago i wanted to create my JDBC Realm with glassfish and i also had lots of doubts. I will try to explain you more or less how i did it using JPA.

Many of the examples suggest making the tables that hold user/group information by hand in SQL

I disagree, if you are using JPA for other tasks related to persistence why would you make an exception when regarding to security. So JPA is a good idea. Copy/Pasting a chunk of SQL in your DB console is easy but better if you have entities that will automatically will always create those tables for you when you deploy your app.

The tutorial you are following is fine, i think there is no such think as a best practice.

I will give you some resources that i think will help you creating the JDBC realm. Maybe you are interested in something a bit more simple, just to warm up, in that case have a look at this post:

http://javing.blogspot.in/2012/05/here-in-this-video-you-can-see-how-i.html

It talks about ROLE based security in glassfish, i think it can give you some tips.

If you want to know how to create the JDBC realm with JPA, follow this question i made time ago, at the end you will find the solution:

Glassfish 3 security - Form based authentication using a JDBC Realm

If you paste some code we could help you trouble shouting in case you get stuck.

Hi sfrj, thanks for this. The second link provides a LOT of really useful information and I will probably refer to it quite a lot! In my case I have got FlexibleJDBCRealm working and it seems really good. The mailing lists are very quiet so I am not sure how much use it is getting, but so far I think it's a very well-written realm. I am new to this so your post will be really useful for me. Many thanks! — Richard, May 22 '12 at 22:21

JDBCRealm with JPA

1 Answers1