I am pretty new to JSF, and so far I love it, with the exception of authorization and authentication. I have been looking for a good tutorial to get me going using JAAS with JSF and tomcat for a while and have only found fragments. Does anyone know of a good online resource or book that could help me wrap my head around this. What I am trying to do isn't that uncommon, I am trying to authenticate a user against a mysql database table or a LDAP server.
JAAS is a particular security framework, but the fundamental framework for J2EE is Container Managed Authentication and Authorization. It's not JAAS, although Tomcat can use JAAS as one of the security realm options.
The J2EE CMA&A model is based on an externally-defined "black box" A&A provider, known as a Realm. Basically, the Realm answers one of 2 questions:
1. Is the supplied userid/password combination valid?
2. Is the user a participant in security role "X" (X being supplied as a parameter).
The container itself also interacts. It matches incoming URLs against the security URL patterns in order to determine if the user needs to be authenticated (logged in) and what roles a given URL may service.
Because the Realm is defined through a standard interface, you can select a Realm, such as the JDBCRealm, LDAP Realm, JAAS Realm, or even supply a custom realm for use with specialized systems such as a Web Services-based security API.
Documentation on developing webapps that interface with the J2EE Container Managed A&A subsystem is provided in most books on basic J2EE, especially those that cover servlets and JSPs. Documentation on setting up and configuring a Realm is part of the server documentation, and the Tomcat Realm documentation is fairly good.
Customer surveys are for companies who didn't pay proper attention to begin with.