File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Java in General and the fly likes java custom login, strategy Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Java in General
Bookmark "java custom login, strategy" Watch "java custom login, strategy" New topic

java custom login, strategy

bel aqua

Joined: May 12, 2011
Posts: 1
I would like to get some views on how to implement a custom login/authentication for a web application.
I like to keep the project as simple as possible, yet with flexibility, using my own custom user object with different roles and attributes.
I am using java/jsp with tomcat.

I have previously used form based authentication with tomcat.
In server.xml I configured the application with Realm inside the application context.
using my own userRoleTable for the custom user in my database

To actually get my user object in the servlet I do the following:
String username = request.getUserPrincipal().getName();
I then get the user from my user table based on the username as query parameter.
List<MyUser> myUsers = DAOFactory.DEFAULT.buildMyUserDAO().findByname(username);

Is there any other cleaner/better way to do this with tomcat?

Do you have other suggestions for how to handle custom user login/authentication?
Spring or something else?

Chris Beckey
Ranch Hand

Joined: Jun 09, 2006
Posts: 116

Especially in Tomcat it is not too difficult to implement your own Realm and Principal. You can stuff pretty much anything you need in the Principal derivation and access it using getUserPrincipal(). If you know that the Principal instance returned is of your type, just cast it and you can get to whatever you put into it.

In other words:
1.) Write your own Principal class that holds whatever data you want to have available (and that you have available to populate it with). If memory serves correct, this may have to derive from the existing Tomcat Principal class.
2.) Write your own Realm class (hint: copy the existing RDBMSRealm and make changes)
3.) Declare your Realm in server.xml
4.) In your application, call getUserPrincipal() and cast the result to your Principal derived class

Look at the Tomcat realm source code for the realms, unless you are doing DIGEST or CERTIFICATE authentication, you can forgo implementing a number of the authentication methods.
It's better to declare an interface that your Principal implements and cast to that. Keep the Tomcat specific stuff in a different JAR (project) so that your app does not become tied to Tomcat.
I agree. Here's the link:
subject: java custom login, strategy
It's not a secret anymore!