J2EE authentication

[Lionel]

Hi,

I'm a seasoned Java programmer but I am currently introducing myself to
J2EE.

One thing I've noticed is that the Sun tutorials all talk about adding a
user to the Glassfish realm to do authentication. As far as I can tell
this is not what I want to do as it seems to involve a manual step of
adding users. I also don't want to tie myself to a specific application
server.

I've discovered the Netbeans example JsfJPA which looks like what I
want, but seems a little messy, the user model and the algorithms are
all mixed in and the separation is not good.

I discovered this
http://www.novocode.com/doc/servlet-essentials/chapter4b.html#ch_4_5
which looks quite good to me.

What I am trying to achieve is, for example, say a simple board game
website where a user can register then log in and see their games, play etc.

What is the best technology to do this? A servlet as in the example
above? Java Server Faces?

Thanks

 

[Lionel]

Hi,

I'm a seasoned Java programmer but I am currently introducing myself to
J2EE.

One thing I've noticed is that the Sun tutorials all talk about adding a
user to the Glassfish realm to do authentication. As far as I can tell
this is not what I want to do as it seems to involve a manual step of
adding users. I also don't want to tie myself to a specific application
server.

I've discovered the Netbeans example JsfJPA which looks like what I
want, but seems a little messy, the user model and the algorithms are
all mixed in and the separation is not good.

I discovered this
http://www.novocode.com/doc/servlet-essentials/chapter4b.html#ch_4_5
which looks quite good to me.

What I am trying to achieve is, for example, say a simple board game
website where a user can register then log in and see their games, play
etc.

What is the best technology to do this? A servlet as in the example
above? Java Server Faces?

Oh, and I would have a MySQL database for storage.

 

[Donkey Hottie]

Hi,

I'm a seasoned Java programmer but I am currently introducing myself to
J2EE.

One thing I've noticed is that the Sun tutorials all talk about adding a
user to the Glassfish realm to do authentication. As far as I can tell
this is not what I want to do as it seems to involve a manual step of
adding users. I also don't want to tie myself to a specific application
server.

I've discovered the Netbeans example JsfJPA which looks like what I
want, but seems a little messy, the user model and the algorithms are
all mixed in and the separation is not good.

I discovered this
http://www.novocode.com/doc/servlet-essentials/chapter4b.html#ch_4_5
which looks quite good to me.

What I am trying to achieve is, for example, say a simple board game
website where a user can register then log in and see their games, play
etc.

What is the best technology to do this? A servlet as in the example
above? Java Server Faces?

Each and every JEE container does this in their proprietary way.
However, they all usually offer alternative types of user registry, it
can be a flat file, SQL database, LDAP, whatever. I might want to pick
one that you feel comfortable to manipulate.

I don't know how one does it in Glassfish, but for example in JBoss it
very easy to set up the authentication against a SQL database. Then you
just write the user registration into that DB table(s) and the user can
authenticate.

Authentication is not standardized, except JAAS, which they all use
behind the schenes, more or less, and all in different way So that's
for the standards...

 

[Lew]

Adding users had better be a manual step.

I use a popular blog-site package and bots register for that site all the
time. I have to manually unregister the users. It's annoying. I suppose I
should add a capcha to force entry of new users to be a manual step.

Each and every JEE container does this in their proprietary way.
However, they all usually offer alternative types of user registry, it
can be a flat file, SQL database, LDAP, whatever. I might want to pick
one that you feel comfortable to manipulate.

I don't know how one does it in Glassfish, but for example in JBoss it
Similarly.

very easy to set up the authentication against a SQL database. Then you
just write the user registration into that DB table(s) and the user can
authenticate.

Authentication is not standardized, except JAAS, which they all use
behind the schenes, more or less, and all in different way So that's
for the standards...

There are a lot of Java EE authentication packages or frameworks and they work
with all the containers, pretty much.

 

[markspace]

I discovered this
http://www.novocode.com/doc/servlet-essentials/chapter4b.html#ch_4_5
which looks quite good to me.

This looks quite terrible to me. First, all they do is add the user
name to the Session object, there's no database persistence, so it won't
do what you are hoping. Second they are writing the page results as a
stream of characters which is a big no-no. They should be using some
form of JSP and MVC.

What I would do if I was just starting out (and I pretty much am,
although I'm somewhat familiar with the technologies you mention) is
just do this raw.

First, restrict yourself to just Servlets and JSP. Most of the other
frameworks are massive over kill for a small site.

Second, make a simple interface just like you would for a regular Java
program.

public interface UserPersistence {
User getUser( String name );
void addUser( User u );
void deleteUser( User u );
}

public class User {
// bunch o' properties here...
}

Use this everywhere in your servlets. Then just implement the guts of
UserPersistence as simply and straight-forward as possible. Use JDBC
and pull the parameters out of the web.xml file, so you can configure
your database externally to your program.

Here's a decent example of what I'm talking about:

<http://www.caucho.com/resin-3.0/db/tutorial/jdbc-ioc/index.xtp>

Instead of accessing the SQL directly as shown, use the UserPersistence
interface above. That way all your messy SQL stays in one class and can
be changed easily.

What I am trying to achieve is, for example, say a simple board game
website where a user can register then log in and see their games, play
etc.

What is the best technology to do this? A servlet as in the example
above? Java Server Faces?

As soon as you say "game" I throw most web technologies out the window.
If you can concieve your game written in plain HTML, then you can use
a standard web front-end technology. Otherwise, it's lots of custom
JavaScript, or Flash or something, or a Java Applet. The latter is what
I'd do as a Java programmer.

In the case of an Applet, the website is just the content delivery
mechanism. You could write the website in HTML or PHP if you wanted.
Use JWS or JNLP to deliver the Applet, doesn't matter much.

 

[Arved Sandstrom]

Hi,

I'm a seasoned Java programmer but I am currently introducing myself to
J2EE.

One thing I've noticed is that the Sun tutorials all talk about adding a
user to the Glassfish realm to do authentication. As far as I can tell
this is not what I want to do as it seems to involve a manual step of
adding users. I also don't want to tie myself to a specific application
server.

[ SNIP ]

One, realize that _someone_ - whether that's an administrator or a user
- does have to manually enter the credentials into the authentication
datastore. As has been pointed out, that can be a relational database, a
flat file, XML, LDAP, you name it. Ideally you set up a registration
system so the users do the work.

If you see one or the other tutorial, or server documentation, refer to
manually editing files, or adding users/groups through an admin
interface, that's not a capability you'd normally use in production.

Two, you'll _always_ be tied to a specific application server, just like
you're often tied to specific databases, or LDAP directory servers, or
JPA persistence implementations, or message queues, or ESBs, or rules
engines. There is enough investment of effort involved in gaining
expertise with infrastructure, and finetuning applications that run on
specific infrastructure, that it's rarely worth it to try to keep apps
that generic. Don't get me wrong, you don't go overboard using umpteen
custom native APIs, but you don't make a fetish of avoiding their use
either.

AHS

 

[Arne Vajhøj]

I'm a seasoned Java programmer but I am currently introducing myself to
J2EE.

One thing I've noticed is that the Sun tutorials all talk about adding a
user to the Glassfish realm to do authentication. As far as I can tell
this is not what I want to do as it seems to involve a manual step of
adding users. I also don't want to tie myself to a specific application
server.

First thing to decide is between container managed authentication and
app managed authentication.

With container managed authentication the user/role database is
external to your app and the container manage the check of whether
the session is authenticated. The app just supplies a login
page and can restrict access via either declaration in web.xml or
using the servlet API.

With app managed authentication you do everything yourself and
stores something in session to indicate status and check on that.

I would strongly recommend container managed authentication,
because it is not that easy to get everything correct - so better
to reuse what IBM/BEA/JBoss/Apache has done.

Note that if you have ever done APS (classic not .NET) or PHP,
then app managed authentication is standard.

I've discovered the Netbeans example JsfJPA which looks like what I
want, but seems a little messy, the user model and the algorithms are
all mixed in and the separation is not good.

I discovered this
http://www.novocode.com/doc/servlet-essentials/chapter4b.html#ch_4_5
which looks quite good to me.

That seems to be app managed authentication in the toy edition.

Forget it.

What I am trying to achieve is, for example, say a simple board game
website where a user can register then log in and see their games, play
etc.

What is the best technology to do this? A servlet as in the example
above? Java Server Faces?

Go for container managed authentication.

It does not matter much what mix of technologies you use
servlet/JSP/JSF/JSTL/EL/facelets.

Anything running inside a servlet container can do it.

Arne

 

[Arne Vajhøj]

This looks quite terrible to me. First, all they do is add the user name
to the Session object, there's no database persistence, so it won't do
what you are hoping.

If it authenticates a user, then putting it in session is
what he is hoping for.

> Second they are writing the page results as a
stream of characters which is a big no-no. They should be using some
form of JSP and MVC.

Yep.

Arne

 

[Roedy Green]

One thing I've noticed is that the Sun tutorials all talk about adding a
user to the Glassfish realm to do authentication. As far as I can tell
this is not what I want to do as it seems to involve a manual step of
adding users. I also don't want to tie myself to a specific application
server.

I would presume there is in any scheme some sort of programmatic
addUser hook. You can then invent an interface, and implement
whatever nonsense you need for any given womb. It would work much he
way JDBC hooks work. Publish it as an independent piece and it might
become the core of an official API.

--
Roedy Green Canadian Mind Products
http://mindprod.com
To err is human, but to really foul things up requires a computer.
~ Farmer's Almanac
It is breathtaking how a misplaced comma in a computer program can
shred megabytes of data in seconds.