New Security Features in Glassfish v3 (Java EE 6) - Part III

The login() method 

In continuation of the previous articles discussing the new security features in Servlet 3.0 in GlassFish v3, this post aims to discuss about the other programmatic way to login to a web application - the login method of the HttpServletRequest API. -

  HttpServletRequest.login(String username, String password) throws ServletException

Similar to the authenticate() method, the login() method serves to authenticate a given username and password programatically. As mentioned in this blog post, this method throws a ServletException when the validation of username, password provided fails or if the caller identity has been already established before a call to this method or if the configured login mechanism (in web.xml) is does not support username, password validation.

A recent fix was made to have the authentication state in the existing session after a successful login. The session is created if it does not exist at this time to store the auth state. In the orthogonal HttpServletRequest.logout() method, this authentication state is cleared from the session. This change is available in the GlassFish v3 trunk and in the upcoming releases of GlassFish.


Comments:

Hello, a question regarding these security features, is there a way to handle the authentication process _inside_ the application? I mean, annotations/methods like @RolesAllowed, isUserInRole(), getUserPrincipal() sound very useful, but I can't delegate the authentication to Glassfish or anyone else, I need to lookup user/login in the database, do you see what I mean?

Thanks,

Kevin

Posted by Kevin on April 22, 2010 at 01:07 PM SCT #

You can use JSR196 modules to perform custom authentication to your container. Please check http://blogs.sun.com/monzillo/entry/pluggable_authentication_in_the_glassfish and http://blogs.sun.com/enterprisetechtips/entry/adding_authentication_mechanisms_to_the.
If you need to use database usernames/passwords for your authentication, you can also consider using JDBCRealms, which would not need JSR196.Please see http://blogs.sun.com/swchan/entry/jdbcrealm_in_glassfish

HTH
Nithya

Posted by Nithya on July 15, 2010 at 07:48 AM SCT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

nitkal

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks