This week's book giveaway is in the Mac OS forum.
We're giving away four copies of a choice of "Take Control of Upgrading to Yosemite" or "Take Control of Automating Your Mac" and have Joe Kissell on-line!
See this thread for details.
The moose likes Java in General and the fly likes java custom login, strategy Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » Java in General
Bookmark "java custom login, strategy" Watch "java custom login, strategy" New topic
Author

java custom login, strategy

bel aqua
Greenhorn

Joined: May 12, 2011
Posts: 1
I would like to get some views on how to implement a custom login/authentication for a web application.
I like to keep the project as simple as possible, yet with flexibility, using my own custom user object with different roles and attributes.
I am using java/jsp with tomcat.

I have previously used form based authentication with tomcat.
In server.xml I configured the application with Realm inside the application context.
org.apache.catalina.realm.JDBCRealm
using my own userRoleTable for the custom user in my database

To actually get my user object in the servlet I do the following:
String username = request.getUserPrincipal().getName();
I then get the user from my user table based on the username as query parameter.
List<MyUser> myUsers = DAOFactory.DEFAULT.buildMyUserDAO().findByname(username);
...

Is there any other cleaner/better way to do this with tomcat?

Do you have other suggestions for how to handle custom user login/authentication?
Spring or something else?

Thanks
Chris Beckey
Ranch Hand

Joined: Jun 09, 2006
Posts: 116

Especially in Tomcat it is not too difficult to implement your own Realm and Principal. You can stuff pretty much anything you need in the Principal derivation and access it using getUserPrincipal(). If you know that the Principal instance returned is of your type, just cast it and you can get to whatever you put into it.

In other words:
1.) Write your own Principal class that holds whatever data you want to have available (and that you have available to populate it with). If memory serves correct, this may have to derive from the existing Tomcat Principal class.
2.) Write your own Realm class (hint: copy the existing RDBMSRealm and make changes)
3.) Declare your Realm in server.xml
4.) In your application, call getUserPrincipal() and cast the result to your Principal derived class

Hints:
Look at the Tomcat realm source code for the realms, unless you are doing DIGEST or CERTIFICATE authentication, you can forgo implementing a number of the authentication methods.
It's better to declare an interface that your Principal implements and cast to that. Keep the Tomcat specific stuff in a different JAR (project) so that your app does not become tied to Tomcat.
 
GeeCON Prague 2014
 
subject: java custom login, strategy