J2EE Security

Hi there.

I am busy working on the security for the tapestry web application we are building.

As it started out really small we built in a login module and a way of moving the active user account throughout the system using the session without a specific security framework. Now that it is getting larger we are looking at alternatives like J2EE with JAAS or AceGI.

Over the past few days I've been doing a lot of reading on the topic and I am not sure as to why we would need to implement something along these lines if we already have a way of authenticating the user and the application will never be interfacing with third party j2ee applications.

Is there some wow factor item in J2EE Security that I have overlooked?

Many thanks,
Rachel

As your app will run in a servlet container, are you doing your authentication by basic, form, digest or SSL and client certificate?

I am not sure strictly which category this falls into.

When the user logs on we authenticate them against the database and store the user in tapestry's visit object.

The other reason we are looking into these technologies as the time has come to implement roles and permissions. If J2EE or some such framework is going to make this very simple for us and provide an easy way to set up roles and permissions from inside the web application, then it would be usefull to us to implement user authentication as sepcified by the j2ee framework.

With j2ee is it possible to specify user roles and permissions from inside the web application?

Many thanks.
[ March 30, 2006: Message edited by: Rachel Swailes ]

To my experience, standard J2EE security is vastly insufficient for anything but the very simplest of tasks. Once the requirements become even the sightest bit tricky you end up coding the logic yourself.

When it comes to defining roles and permissions that will pretty much always be implementation dependent - I'm guessing you will want to be able to store your users in the same way you're doing now. That means that you'll still need to write the code to modify users and roles yourself (that's typically not part of the security framework, even though some application servers have their own proprietary API for doing it).

I'd go with Acegi; it's a very robust and flexible framework.

If you already have web app authentication, then you can add roles quite easily. As long as you have access to the HttpServletRequest objects, you can use its getRemoteUser, getUserPrincipal, getAuthType and isUserInRole methods to access role information about the user.
Permissions are not part of web app security, though. If using JAAS seems daunting, consider something like JGuard to take the pain out of it.

Hi guys.

Thanks for the advice. I'm going to check out JGuard to see what it can do for me.

Cheers,
Rachel