I really don't have a question for the authors, I just want to thank you so much for the remarkable content! The Java EE 7 Tutorial is an invaluable resource to me, I'm writing my Java EE 7 thesis and the tutorial pdf is always open in my second screen But obviously a physical book is better.
At first look it may seem chaotic and massive, but I find the flow is rather easy to follow. Must-have resource!
I do indeed have a couple of questions, well only the one is actually a question, the second is just a where-in-the-tutorial kind of thing.
1. Is it really necessary for me to setup a JDBC Realm to authenticate users against a DB? Couldn't I just query the DB with the input credentials and see if there's the given user? If yes I could direct him to the content, if no they would be directed to register.
2. Although I have a working login user solution with a JDBC Realm, Form auth-method and the j_security_check mechanism, I want to convert it to use my own JSF form, backing beans and JPA calls. Could you advise me into which specific parts of the Security section of the Tutorial should I study?
Well, let me try to address both questions with a few thoughts you might consider:
The Realm concept that most application servers (Glassfish, WebLogic, JBoss, WebSphere....) implements are backed by the security specification of Java EE, which "defines" the minimal requirements and unfortunately most of them has it's own proprietary implementation, but at least following the spec guidance (Deployment descriptors, user/group, authentication and authorization concepts, etc...)
It's possible to implement custom authentication mechanics as some people do with Servlet filters, for example. On every request the filter check some session information against a DB and etc, but I still prefer the Realms concept since most containers offers more fine grained control for authorization/authentication.