i'm prepering myself for the SCWCD exam and trying to create a "real" website with DB, members and etc.
i used the FORM method for login and the j_security check but got some Q the made me think it over? is it really being used in production???
it looks like it gives the developer an easy way to config his security area BUT it actually take the flexibility away!!!
1. if a user wants to login (just by clicking on login) without going into a security area first. we will probably need to redirect the link to a secure area to trigger the j_security_check and then to jump back to the page. is it a right way???
2. if the user wants to go to a secure page and triggers the login page. what happens if the username and pass are correct but the role is not enough for the page he requested? he will get a 403 error page. i made an error page for the 403 error and the error goes to the error page and then continue and show the user another 403 error page(at the urlline i see that the j_security_check took it over again after the error page was executed).
$$$$ is it not easier to make everything without the j_security_check. just making one DB table with username, pass and role???
can someone tell me if the j_security_check is really used in production? or is it just an option that nobody uses???
From what I've seen, j_security is the most common method. In fact, I think the bigger the application, the more likely it is used. In an enterprise application, the entire thing is usually a secured resource. What you described in part 1 sounds more like a website with some dynamic content.
For a dynamic website you're right, FORM-based security might not be the best option. There's also a good chance that J2EE isn't the best option either.