• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

java custom login, strategy

 
bel aqua
Greenhorn
Posts: 1
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would like to get some views on how to implement a custom login/authentication for a web application.
I like to keep the project as simple as possible, yet with flexibility, using my own custom user object with different roles and attributes.
I am using java/jsp with tomcat.

I have previously used form based authentication with tomcat.
In server.xml I configured the application with Realm inside the application context.
org.apache.catalina.realm.JDBCRealm
using my own userRoleTable for the custom user in my database

To actually get my user object in the servlet I do the following:
String username = request.getUserPrincipal().getName();
I then get the user from my user table based on the username as query parameter.
List<MyUser> myUsers = DAOFactory.DEFAULT.buildMyUserDAO().findByname(username);
...

Is there any other cleaner/better way to do this with tomcat?

Do you have other suggestions for how to handle custom user login/authentication?
Spring or something else?

Thanks
 
Chris Beckey
Ranch Hand
Posts: 116
Eclipse IDE Tomcat Server
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Especially in Tomcat it is not too difficult to implement your own Realm and Principal. You can stuff pretty much anything you need in the Principal derivation and access it using getUserPrincipal(). If you know that the Principal instance returned is of your type, just cast it and you can get to whatever you put into it.

In other words:
1.) Write your own Principal class that holds whatever data you want to have available (and that you have available to populate it with). If memory serves correct, this may have to derive from the existing Tomcat Principal class.
2.) Write your own Realm class (hint: copy the existing RDBMSRealm and make changes)
3.) Declare your Realm in server.xml
4.) In your application, call getUserPrincipal() and cast the result to your Principal derived class

Hints:
Look at the Tomcat realm source code for the realms, unless you are doing DIGEST or CERTIFICATE authentication, you can forgo implementing a number of the authentication methods.
It's better to declare an interface that your Principal implements and cast to that. Keep the Tomcat specific stuff in a different JAR (project) so that your app does not become tied to Tomcat.
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic