2

I have an embedded glassfish server and a small web app. I want to add login-authentification thingy to it. Problem: all tutorials i've found so far tell to go glassfish admin console on 4848 port and config jdbc realm there. Is it's possible to do this using xml files like web.xml, glassfish-resources.xml and provide them with my war. It would be nice to make my app completely portable. Thanks in advance!

Melissaa
  • 95
  • 7

2 Answers2

1

Have you thought about simply creating a secure form for entering username/password and then just checking for those on your DB ?

Giannis
  • 5,286
  • 15
  • 58
  • 113
  • Thanks for response! Could you elaborate? I've found something about 'programmatic login HttpServletRequest#login()' [http://stackoverflow.com/questions/2206911/best-way-for-user-authentication-on-javaee-6-using-jsf-2-0]. Is that what you mean? – Melissaa Apr 03 '12 at 13:17
  • Well that one is quite informative. I guess it comes down to what level of protection you need. On a similar case where I had to create a login for a uni. project, I simply had an https form, and the data entered were compared with javaDB entities(also had them encrypted on the way but just for fun). I do not have any experience with industrial level security. – Giannis Apr 03 '12 at 13:22
  • I would like some basic stuff: registration, login with stay logged option, denying access on all pages exept for login-page for unauthorized users, auto redirect from login page for already authorized users. – Melissaa Apr 03 '12 at 13:39
  • Well as said, for that kind of stuff I just used JSF. Its probably not good idea for industrial applications but worked for my case. After you create the forms you need to do some modifications on the web.xml file to provide https connection. Hope this can get you started. – Giannis Apr 03 '12 at 13:58
0

According to the Java EE 6 specifications (and to the Java EE 6 tutorial, chapter Overview of Java EE Security):

Security for components is provided by their containers

So, using the standard Security concepts, it's not wise to make your web application aware of realms and other features that should be managed by the container.

In theory there is a way for reaching your goal, but it's very complex and at the end of the day it's not even fully container-agnostic. This way consists in developing your own JAAS (Java Authentication and Authorization Service), and deploying it into the container before deploying your application.

You can find further reference in this JAAS Tutorial, from which I extract the following lines that explain the concept I have summarized above:

System level security is defined in terms of User Groups, called Roles, and in terms of security privileges mapping definitions, called Realms. Application level security is constituted from User Groups and Realms.

At the application level, security permissions also list the various application components that are accessible by each User Group in each Realm. Thus, when an application is deployed, its application level realms and roles are mapped to the system level realms and roles defined on the server.

perissf
  • 15,979
  • 14
  • 80
  • 117
  • Thanks for response! Could you, please, recommend me a tutorial or an example to start off? Also could 'HttpServletRequest#login()' be considered as a container managed thingy? – Melissaa Apr 03 '12 at 14:31
  • @Melissaa Here you can find an example using HttpServletRequest: http://docs.oracle.com/javaee/6/tutorial/doc/glxce.html . Regarding JAAS I have already inserted a link to a tutorial in my answer – perissf Apr 03 '12 at 15:03
  • Be welcome. If you think the answer was useful, you can upvote it or accept it – perissf Apr 03 '12 at 16:06