Steve Millidge for Java Magazine – Custom Servlet Authentication Using JASPIC

Uncategorized

The new Java Magazine is out now, featuring a lot of useful articles about enterprise Java – not so much Java EE as a platform, but individual services that can be useful as part of a larger solution. See below for an introduction to my article on Custom Servlet Authentication Using JASPIC, also featured in the magazine. 

When you build web applications using Java EE, you often need to work with some organization-specific user repository for authenticating users and obtaining a user’s groups. Typically users are defined in a specific database, a strange LDAP configuration, or some other user-identity store specific to the project. All Java EE application servers ship with the capability to integrate with a common set of identity stores. For example, GlassFish Server ships with several so-called realms: file, LDAP, JDBC, Oracle Solaris, PAM, and certificate. 

Each realm needs to be manually configured, and the configuration is specific to the application server and outside the control of your application. If the predefined realms don’t it your needs, you then need to develop an application specific module to extend the capabilities using application server–specific APIs. Many developers faced with this prospect build some custom code in the web application, which integrates with their required identity store and uses application-specific mechanisms to manage authentication and authorization.

The problem with this approach is that these developer designed mechanisms for managing authentication are not integrated with the application server, so the standard Java EE security model does not apply, the power of Java EE APIs such as isUserInRole and getUserPrincipal can’t be used, and standard Java EE declarative security fails. In this article, I examine an alternative solution that is tucked away in Java EE. I expect readers to have a basic working knowledge of Java EE and its authentication mechanisms.

To continue reading, see page 25 of the August/September 2016 issue of Java Magazine.

Comments (1)

Post a comment

Your email address will not be published. Required fields are marked *

Payara needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Legal & Privacy Policy.

  1. Juan Pablo Feliciano Báez

    Hi Steve.

    I read this article through the Java Magazine and is a very interesting topic, I have to confess that I never heard from JASPIC before. I’m developing a Java EE 7 application on WildFly 10.1.0 and currently the authentication mechanism is FORM based linked with a Security Domain at database level. Altough this strategy is running and supporting this important secutiry requirement, I want to adopt JASPIC to have a more control and to build our own authentication module. Following the steps described in the article the username and password are sended as parameters through the GET method, but in my application I have a form with those fields to send the values and a rule in the web application descriptor to map the form-login and form-error pages. How can I adapt my application to work with JASPIC using those defined form rules and identifying the scenarios in which the validateRequest method don’t have to review the user an password to authenticate if a valid process was runned before?

Related Posts

4 minutes
Uncategorized

Leading the Way: Payara Platform Community 7 Beta Now Fully Jakarta EE 11 Certified

We’re excited to announce that Payara Platform Community 7 Beta application server is now fully certified as Jakarta EE 11 […]

JBoss ELS Decoded 5 minutes
Migration

JBoss ELS Decoded: What Extended Lifecycle Support Really Means for Your Java Applications​

If your Java EE 8 applications run on Red Hat JBoss Enterprise Application Platform (EAP) 7, you can’t afford […]

5 Warning Signs Your Ageing Application Server Is Holding Back Your Java Team 4 minutes
Jakarta EE

5 Warning Signs Your Ageing Application Server Is Holding Back Your Java Team

Every software evolves, until it reaches its natural end of life, even the strongest one. This is valid for […]