Re: J2EE authentication
On 25-01-2011 06:02, Lionel wrote:
I'm a seasoned Java programmer but I am currently introducing myself to
J2EE.
One thing I've noticed is that the Sun tutorials all talk about adding a
user to the Glassfish realm to do authentication. As far as I can tell
this is not what I want to do as it seems to involve a manual step of
adding users. I also don't want to tie myself to a specific application
server.
First thing to decide is between container managed authentication and
app managed authentication.
With container managed authentication the user/role database is
external to your app and the container manage the check of whether
the session is authenticated. The app just supplies a login
page and can restrict access via either declaration in web.xml or
using the servlet API.
With app managed authentication you do everything yourself and
stores something in session to indicate status and check on that.
I would strongly recommend container managed authentication,
because it is not that easy to get everything correct - so better
to reuse what IBM/BEA/JBoss/Apache has done.
Note that if you have ever done APS (classic not .NET) or PHP,
then app managed authentication is standard.
I've discovered the Netbeans example JsfJPA which looks like what I
want, but seems a little messy, the user model and the algorithms are
all mixed in and the separation is not good.
I discovered this
http://www.novocode.com/doc/servlet-essentials/chapter4b.html#ch_4_5
which looks quite good to me.
That seems to be app managed authentication in the toy edition.
Forget it.
What I am trying to achieve is, for example, say a simple board game
website where a user can register then log in and see their games, play
etc.
What is the best technology to do this? A servlet as in the example
above? Java Server Faces?
Go for container managed authentication.
It does not matter much what mix of technologies you use
servlet/JSP/JSF/JSTL/EL/facelets.
Anything running inside a servlet container can do it.
Arne