Java EE 7 Form based authentication

L

3

8

I'm currently working on a web application based on Java EE 7, PostgreSQL and the application server GlassFish 4. I need to implement a form based authentication, and to secure some URL knowing that :

the users and the roles/groups (whatever they are called) are stored in the database.
I wanted my application to be as "standard" as possible (i.e I am currently using JSF and JPA, and no other framework like spring, struts ...)

After some research, I found that Java EE provided a standard authentication mechanism called JASPIC. So, I focused my research on JASPIC and I read multiple Stackoverflow Q/A and those articles written by Arjan Tijms (It's almost impossible to find a Stackoverflow Q/A related to Java EE without one of his answers or comments, thanks to him by the way) :

My question is : will JASPIC allow me to do what I need (form authentication + URL restriction with roles) and is it worth the effort to use it ? What I mean is : it's perhaps safer and easier to use another mechanism.

Arjan Tijms also says that whether or not using JASPIC is "a kind of chicken-and-egg problem" and if JASPIC is safe to use (It doesn't create more problems than it solves), no matter the amount of code I need to write, I really want to be "one of the first chickens".

Longinus answered 24/4, 2014 at 9:56 Comment(1)

Security is to increase safety, not to enforce it. You are only as safe as the weakest link in your system runtime environment, often that weakest link is a human being. In my honest opinion everything you need to know to make up your mind is in that first (wonderful) link you posted. Thanks for sharing those by the way. Other than that, there is also the JEE tutorials page on security: docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html – Devoirs 24/4, 2014 at 11:38

C

3

I'm using JASPIC for my authentication, but JASPIC has one limitation you need to contend with (if you want things standard). You're limited to having no dependencies outside of the Java EE 7 API. This means access to JDBC resources which require a driver is not a capability that is explicitly stated in the standards.

In my OpenID Connect implementation I used Google as my secure store, which also presents me with the Google login form. That is a larger example of using JASPIC though.

For yourself, you can expose an EJB to the global namespace and use InitialContext to get the EJB. There'd be some code duplication in that you have to copy the EJB remote interface code in two places and ensure the serialVersionIDs are the same on both. The EJB can be used to connect to the JPA resources to get your authorization data.

Use EJBs, because the other two options you may think of are REST and SOAP which would be exposing something on your web ports and would require some extra configuration to prevent unauthorized access or require they be placed on a different system.

A simple JASPIC implementation I created in case you want to learn is the HTTP Header JASPIC module which is intended for integration with more complex systems like SiteMinder.

Camisole answered 10/10, 2014 at 3:44 Comment(1)

That example implementation is brilliant! :) – Gary 15/12, 2014 at 18:18

M

-4

I do no know JASPIC but may I suggest you take a look at the shiro framework

It let's you do pretty much everything you need based on your post with minimal configuration.

Marrs answered 24/4, 2014 at 12:28 Comment(1)

I generally avoid using frameworks like Shiro unless I plan to take control of the whole application authentication/authorization in a web tier only. Primarily because the target platform does not support the whole Java EE stack. – Camisole 16/12, 2014 at 0:38

A

-4

For Form based authentication and authorization, you need JAAS. go through follwing url- linK

Araliaceous answered 1/7, 2014 at 8:12 Comment(1)

Things are something more subtle in Java EE, you should have a look at this post. – Pretypify 10/2, 2017 at 15:20

Recommended topics

Hot tags