tags:

views:

261

answers:

3
+1  Q: 

Specify authentication in container rather than web.xml

We distribute our web-application to our customers as a .war file. That way, the user can just deploy the war to their container and they're good to go. The problem is that some of our customers would like authentication, and use the username as a parameter to certain operations within the application.

I know how to configure this using web.xml, but that would mean we either have to tell our customers to hack around in the war file, or distribute 2 separate wars; one with authentication (and predefined roles), one without.

I also don't want to force authentication on our customers, because that would require more knowledge about Java containers and web servers in general, and make it harder to just take our application for a test drive.

Is there a way to do the authentication configuration in the container, rather than in the web-app itself?

A: 

It is common practice to have user information stored in e.g. a datasource (database). Have your application use that same datasource for authentication. Databases are relatively easy to maintain. You can even implement some admin pages to maintain user information from within the application.

tehvan  2009-02-03 10:39:01
A: 

Many containers, such as Glassfish, provide support for JDBC realms. In this case you can configure access (e.g., in web.xml) for groups, and let the customer configure usernames, passwords and group memberships.

Einar  2009-02-03 11:31:28
+2  A: 

In web.xml, define security constraints to bind web resource collections to J2EE roles and a login configuration (both for the customers that want access control to some of the resources of your app).

Then, let the customers bind J2EE roles defined in your web app to user groups specific users ans groups defined on their app servers. Customers that do not want any access control may bind all roles to unauthorized users (name of that user group is specific to appserver, e.g. Websphere calls that 'Everyone'). Customers that want to restrict access to a resource(s) in your webapp to a limited set of users or a user group may do so by binding the roles to users/groups per their's needs.

If an authentication is required to verify user's membership in a role, then the authentication method specified in login config in your web.xml will be used.

david a.  2009-02-03 12:07:45

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java