It's not a secret anymore!*
The moose likes Security and the fly likes Authenticating Users Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Authenticating Users" Watch "Authenticating Users" New topic
Author

Authenticating Users

Sunny Jassal
Greenhorn

Joined: Feb 08, 2011
Posts: 13
Hello,

I have been using java for many years however have never used the security features of Java EE or used EJB. In efforts to understand the concepts I went through the tutorial for Java EE 6 and currently trying to build an application. For authenticaiton, I understand that the users would be created in the glassfish server through the admin interface, however I am confused regarding this approach. I am used to using the security via a database. For instance creating a user and a role table in the database. This way the related tables in the database can know the userid and its roles. I would like to try to use the security approach how it is described in the tutorial in efforts to educate myself.

I am confused about how the user that is created on a glassfish server would be associated in a user defined database. For instance lets take a simple relationship of a user and a addressbook. There would be a userid that would connect both tables. If the users are created on a glassfish server how would user defined database use this information? I would think that there should be a users table created on the user defined database. If that is the case how would the users in the glassfish server keep in synch with the users in the database? We create/edit/delete users in the glassfish server, so if using this approach how would the same information get synched up with the users table in the database? The second approach that I would think is not to create users table on the database and pass the user id to the address bean while performing updates. However I am not comfortable with this approach as the userid that would be in the address table would not check for any constraints as it would not be a foreign key.

Another confusion is how would one create a user interface for user to reset password if the user is on glassfish server?

Am I on the right track or am I completely missing the point?

Thanks for reading this and any feedback would greatly be appreciated.
Arshad Noor
Ranch Hand

Joined: Oct 06, 2011
Posts: 34
I have not implemented the File, Database or the LDAP Realm - but have first-hand experience with the Certificate Realm-based authentication in Glassfish, so I can provide some pointers that might help.

With each authentication Realm in Glassfish, it has "hooks" that allows it to communicate with other authentication sources. With the Database Realm, you essentially configure JDBC drivers for that DB and provide information that allows GF to authenticate users against the DB. With the LDAP Realm, you configure the LDAP connection parameters so that GF can authenticate users against LDAP.

Here is an explanation of Realms, Roles, etc: http://download.oracle.com/javaee/6/tutorial/doc/bnbxj.html
Here is a tutorial on how to use the File Realm with a web-application that can provide some guidance: http://netbeans.org/kb/docs/web/security-webapps.html.
Here's one on how to use the LDAP Realm: http://wiki.netbeans.org/SecureJavaEE6App

Hope that helps.

Arshad Noor
StrongAuth, Inc.

Sunny Jassal
Greenhorn

Joined: Feb 08, 2011
Posts: 13
Thank you very much. It makes sense now. I appreciate the help!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Authenticating Users