We're building a GWT+hibernate+spring web app that's deployed to tomcat and postgres. Looking at http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ and http://www.owasp.org/index.php/Hashing_Java#Complete_Java_Sample, We have a User table and a Role table(4-5 roles, to start with).
Various layers of the app need access to the currently logged in user's info(like loginId, locale, etc), so I'm thinking of adding a AuthenticationFilter which will authenticate each Http request and create a ThreadLocal RequestContext which will hold various user attributes.
I'm also thinking of having a AuthCache which will store a ConcurrentHashMap of sessionIds and loginIds. AuthenticationFilter will use the AuthCache for Authentication.
I understand Spring security and Apache Shiro(http://incubator.apache.org/projects/shiro.html) are probably better ways but I have very little time to get this done so skipping for now.
Just wanted to know if there are better ways to do this ? Is there existing code which does this right so my implementation doesn't have many holes ?
Thank you,