aspose file tools*
The moose likes Architect Certification (SCEA/OCMJEA) and the fly likes User log-in process Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Certification » Architect Certification (SCEA/OCMJEA)
Bookmark "User log-in process" Watch "User log-in process" New topic
Author

User log-in process

Tomi Tuomainen
Ranch Hand

Joined: Jun 13, 2004
Posts: 86
Supposing that I want authentication to be handled in an EJB App used by a web app and a swing app...

How do I check username and password? Do we check it manually by accessing user database or is it preferred to let the container handle this (by using "server users"). If container handles this, can the server be mapped into LDAP or database table where the username/password information reside?
[ July 22, 2004: Message edited by: Tomi Tuomainen ]
Parag Doshi
Ranch Hand

Joined: Jun 29, 2004
Posts: 317
Originally posted by Tomi Tuomainen:
Supposing that I want authentication to be handled in an EJB App used by a web app and a swing app...

How do I check username and password? Do we check it manually by accessing user database or is it preferred to let the container handle this (by using "server users"). If container handles this, can the server be mapped into LDAP or database table where the username/password information reside?

[ July 22, 2004: Message edited by: Tomi Tuomainen ]



Tomi,
Its normally preferred that the web container handle the authentication and passover the user Principal to the ejb container (security propogation) and then the ejb container can handle the authentication/authorization portion of it. This scheme works well in a web based application as the user request would be first handled by the web container and any authentication that needs to be performed is done first hand. Currently, as far as I know, programmatic authentication is not supported at the ejb layer (I could be wrong). You can, however, do programatic authorization in the ejb layer, if you need that kind of fine grained security restrictions.
The container supports quite a few authentication mechanisms, it can as user id/password file, db, ldap, certificates etc. This is generally configured in an application server specific way during deployment.The users/groups are mapped to the application roles during deployment.
As far as the swing app is concerned, you have 2 choices there. The first is to propogate all calls via the web container, that way you can use the same security mechanism as the web app and you dont have to deal with 2 different kinds of security mechanisms. The other way to go about is to let the ejb client container do the authentication on the behalf of the app. The ejb client container is usually deployed along with the client app and it knows how to communicate with the ejb server container. I find that a little too complicated and would rather go the web container route, atleast that way, I only have to configure everything once and it would behave uniformly for both the types of app (and any further clients which might be introduced).

These are my 2 cents

Parag
Tomi Tuomainen
Ranch Hand

Joined: Jun 13, 2004
Posts: 86
Thanks Parag, good answer. I just read that J2EE best practise is to use container-managed security whenver possible

I'll make a new topic concerning swing connecting to web app...
[ July 22, 2004: Message edited by: Tomi Tuomainen ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: User log-in process
 
Similar Threads
Using JAAS registry in WAS for storing encypted passwords
Customized JAAS Module.
How to define a datasource to DB2 in WSAD 5?
Error while trying to configure the database
How to build Messaging function in Swing Application?