This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
I would like to get some views on how to implement a custom login/authentication for a web application.
I like to keep the project as simple as possible, yet with flexibility, using my own custom user object with different roles and attributes.
I am using java/jsp with tomcat.
I have previously used form based authentication with tomcat.
In server.xml I configured the application with Realm inside the application context.
using my own userRoleTable for the custom user in my database
To actually get my user object in the servlet I do the following:
String username = request.getUserPrincipal().getName();
I then get the user from my user table based on the username as query parameter.
List<MyUser> myUsers = DAOFactory.DEFAULT.buildMyUserDAO().findByname(username);
Is there any other cleaner/better way to do this with tomcat?
Do you have other suggestions for how to handle custom user login/authentication?
Spring or something else?
Especially in Tomcat it is not too difficult to implement your own Realm and Principal. You can stuff pretty much anything you need in the Principal derivation and access it using getUserPrincipal(). If you know that the Principal instance returned is of your type, just cast it and you can get to whatever you put into it.
In other words:
1.) Write your own Principal class that holds whatever data you want to have available (and that you have available to populate it with). If memory serves correct, this may have to derive from the existing Tomcat Principal class.
2.) Write your own Realm class (hint: copy the existing RDBMSRealm and make changes)
3.) Declare your Realm in server.xml
4.) In your application, call getUserPrincipal() and cast the result to your Principal derived class
Look at the Tomcat realm source code for the realms, unless you are doing DIGEST or CERTIFICATE authentication, you can forgo implementing a number of the authentication methods.
It's better to declare an interface that your Principal implements and cast to that. Keep the Tomcat specific stuff in a different JAR (project) so that your app does not become tied to Tomcat.