User registration framework for java

Question

I am interested in using something like TomEE (an implementation of the Java EE 6 Web Profile) for building a web site (in a tool like Eclipse or NetBeans), as the following things are appealing to me:

• OOB data layer complete with transactions, POJO/JPA to avoid writing a database layer, connection pooling/caching for performance, optimistic concurrency
• MVC concepts for presentation layer (i.e. JSF)
• communication capabilities to other java components running on other JVM instances

Next, I'd like to determine the feasibility of incorporating some additional building blocks to give me a framework for a typical web-facing registration/login mechanism.

The thing is, I'm concerned I might lose too much flexibility and control if I went with a full-blown web framework like Play, Vaadin, or Grails. However, I'd also like to avoid having to reinvent the wheel by implementing the following mechanisms entirely on my own:

• Email verification during registration
• Lost password/account recovery [Update: Emmet]
• CAPTCHA during registration [Update: Spring Security 3: Integrating reCAPTCHA Service, Emmet]
• Peer-reviewed implementation of password handling/storage
• Nice to have: Alignment with OWASP security best practices
• Nice to have: Basic user administration [Update: Emmet]

Ideally, I'd like an authentication/authorization mechanism that uses an extensible POJO layer complete with basic sample pages. From my research it seems like JAAS probably isn't going to cut it, and I'm a bit fuzzy on if projects like Apache Shiro, Spring Security, DeltaSpike, or PicketLink would give me a push in the forwards direction or if these are overkill.

Could someone more familiar with the java ecosystem please explain what is available to bridge the gap between an implementation of the web profile and the features described above (namely, a user registration/login framework)?

Answer 1

CAPTCHA,Email verification, and Password recovery are not parts of core security services, and are more of added features. Core services are Authentication,Authorization, and Session management .

Some of the aspect that distinguish these technologies are :

• Does using a specific technology "binds" you to it

• How much custom development will need to be done.

• The scale and volume that a technology can support and the effort required to get it there.

Technologies

• Using spring usually means that you would need to bring in the whole spring ecosystem into your project, it does many things for you and simplifies development , but it does mean a pretty tight coupling to spring.

• Apache-Shiro is pretty robust and provides a very nice abstraction layer with looser coupling , it integrates with numerous other technologies including spring security, and provides web ui integration with JSF.

• PicketLink is a very powerful technology with many security features, but might not be as turn key as Shiro or Spring, if you think that down the road you will want your security framework to be enterprise grade and implement features such as IDP . Picketlink could be a very good choice to build on.

Answer 2

Check the Emmet framework which contains extensions on Spring security, it has several of the features you mention, although not all. If you decide to implement some of the components yourself, it might help to have a look at their code.

But for Java Spring Security seems to be the most widelly deployed solution, as it's highly customizable - you can for example configure it to store users on a database or LDAP, grant accesses based on roles or access control lists and so on.

I think no framework provides all these building blocks, but for user registration for example there are external services that manage the user database and send registration transactional emails on your behalf that are more or less guaranteed not to fall on the spam mailbox.

An example of such service is mailjet.

One of the advantages of going to a full stack like Vaadin is that these framework will use most of the OWASP best practices for you, like putting in place CSRF tokens or avoiding script injection with proper escaping etc.

This helps to somewhat compensate for the lack of flexibility, which is usually less than it might seem. For example in Spring MVC almost everything is pluggable, in Vaadin if you don't like a given widget you can customize it and write your own.

Answer 3

Spring security is, as far as I knoiw, a "low level" security: i.e. it is used to prevent users with insufficient authorization to access web application resources, such as access to portions of code or web pages, or other web application "resources". User registration, CAPTCHA you would have probably implement on your own (perhaps by taking existing components/libraries, e.g. https://stackoverflow.com/a/220452/999264 for CAPTCHA etc) and integrate it with spring security yourself.