views:

79

answers:

4

Which one is the best approach/method to implement security in J2EE?(JPA/JSPs)

I'm working on a personal project so I can learn J2EE and I am a little confuse on how to approach the AUTHORIZATION and AUTHENTICATION process on my website.

I have different roles and I don't want certain users to access certain parts of the website. So I've been searching for docs and tutorials and etc, but everything I find dates to more than 3-4 years ago. Is there anything more recent that I should look into?

Here are some of the things I found:

http://www.oracle.com/technetwork/developer-tools/jdev/oc4j-jaas-login-module-083975.html

Any help would be greatly appreciated!!! :)

Thanks,

Johan

+1  A: 

I worked on a J2EE application recently with JAAS. It's pretty current, you can check it's home page at Oracle.

It works with roles, authentication, etc.

You can use it in JBoss and Glassfish, probably the rest of the ASs too.

Fernando
+1  A: 

Something more recent than JAAS is the Spring Security framework. It supports JSR-350 (EJB 3) and thus would work fine in J2EE.

Thierry-Dimitri Roy
I am discovering Spring and it never ceases to amaze me. Ok, now I have to go read about Spring Security...
Fernando
+1  A: 

Spring Security. Although it is branded as Spring, you might find it useful for web applications; do note that you don't need to write a Spring app to use Spring Security.

If you wish to stick to JAAS, I would suggest using one of the container's login modules, just to get started, before you attempt to write your own login module. Be forewarned that you might end up writing one, if the container supplied modules do not meet your requirements. And, there is a good book on JAAS to help you understand it in detail.

Moreover, take a look at Servlet spec 3.0, to see how annotations can be used declare the roles (@DeclareRoles, which came in servlet spec 2.5) in the servlet itself, before defining what roles have access to what HTTP method (using @RolesAllowed). You can also employ annotations like @DenyAll and @PermitAll, to permit or forbid access to all users. @TransportProtected will ensure that the HTTP method is accessed over HTTPS. All one needs to do, is to map these roles in the source code, to actual roles in the JAAS realm; this often done using a container specific descriptor file.

ADDENDUM

Since you are using JSPs and not Facelets or any other technology for the presentation tier, you might be interested in the JSP tags offered by Spring Security. It is much cleaner that maintaining all of the authorization metadata in a humongous web.xml file.

As far as JPAs are concerned, well, the underlying access to them is usually enforced at the servlets or EJBs. Of course, you can build in more programmatic security, based on your needs - using entity listeners would help in this process as you would be able to intercept load, update and persist operations (if you are that particular, but for the most part building security before your business logic is executed usually is sufficient).

And oh, take a look at JBoss Seam (and Seam security), for it is a complete application development framework built on Java EE.

Vineet Reynolds
Thanks to all of you!!! I'll make sure to check it all... :)
Johan
A: 

Spring security tutorial https://www.packtpub.com/spring-security-3/book. Highly recommended.

antorun