The new Java Magazine is out now, featuring a lot of useful articles about enterprise Java – not so much Java EE as a platform, but individual services that can be useful as part of a larger solution. See below for an introduction to my article on Custom Servlet Authentication Using JASPIC, also featured in the magazine.
When you build web applications using Java EE, you often need to work with some organization-specific user repository for authenticating users and obtaining a user’s groups. Typically users are defined in a specific database, a strange LDAP configuration, or some other user-identity store specific to the project. All Java EE application servers ship with the capability to integrate with a common set of identity stores. For example, GlassFish Server ships with several so-called realms: file, LDAP, JDBC, Oracle Solaris, PAM, and certificate.
Each realm needs to be manually configured, and the configuration is specific to the application server and outside the control of your application. If the predefined realms don’t it your needs, you then need to develop an application specific module to extend the capabilities using application server–specific APIs. Many developers faced with this prospect build some custom code in the web application, which integrates with their required identity store and uses application-specific mechanisms to manage authentication and authorization.
The problem with this approach is that these developer designed mechanisms for managing authentication are not integrated with the application server, so the standard Java EE security model does not apply, the power of Java EE APIs such as isUserInRole and getUserPrincipal can’t be used, and standard Java EE declarative security fails. In this article, I examine an alternative solution that is tucked away in Java EE. I expect readers to have a basic working knowledge of Java EE and its authentication mechanisms.
5 minutes
Hi Steve.
I read this article through the Java Magazine and is a very interesting topic, I have to confess that I never heard from JASPIC before. I’m developing a Java EE 7 application on WildFly 10.1.0 and currently the authentication mechanism is FORM based linked with a Security Domain at database level. Altough this strategy is running and supporting this important secutiry requirement, I want to adopt JASPIC to have a more control and to build our own authentication module. Following the steps described in the article the username and password are sended as parameters through the GET method, but in my application I have a form with those fields to send the values and a rule in the web application descriptor to map the form-login and form-error pages. How can I adapt my application to work with JASPIC using those defined form rules and identifying the scenarios in which the validateRequest method don’t have to review the user an password to authenticate if a valid process was runned before?