Authentication J2EE Reference implementation

smitzer

Hi,
I am designing a web based application for my final year college project. I am familiar with the use of roles and groups for security in J2EE.
However a website will have many new users and it is obviously not pratical to map each new user to a role and group by hand in the deploytool. Is it possible to use a database with the j2ee 1.3 server for user authentication or would I have to change to a different app server to achieve this? Any help would be much appreciated.

Dr_Teeth

That stuff should not have to involve your ejb container at all if you don't want to. The servlet can handle the user login/session stuff and you can have that talking to a session bean which then talks to some sort of entity object that manages a user table in a DB..

Teeth.

smitzer

I am doing something similar at the moment in that when the user logs using a session bean. If it is successful then I place the username in the session object. I will alter this nearer to deadline day to include ssl.

I am not using roles to control access to the actual web resources as I think that session tracking will suffice. Just to associate a principal with a user when they login or register and then to propogate that identity to the EJB container. I only want to use groups and roles to lock certain methods in the bean classes for administrative use only.

I think that Tomcat has some kind of JDBC realm for sercurity but there does not seem to be much documentation for this on the web.

smitzer

I think what I will do now is just leave the methods called by the web app as all users and just leave the bean methods used by the swing GUI to require authentication. Probably the best course of action on the Reference implementation unless I can get the college to stump up a couple of grand for a bea or IBM server. That or I figure out how the hell to use JBoss.