Reputation: 187
Container vs Servlet Authentication
I am creating a web application using Servlets and JPA. I have a user table that stores usernames,passwords and roles. I would like to create Login and user registration functionality for these users so that some of my content is accessible to certain users. As I ready through the Servlet specification and also Tomcat, which is the container I use, I have come across two ways of defining users and roles of the system.
The Tomcat specification suggests I can use Realms to tie into another database so that I can choose to use SSO if I wish. Servlets have their own way of defining users and roles using the web.xml, such as basic authentication for example, so does the Servlet container, using Realms.
But to create users and roles in the Servlet and the Container seems to be something that the system administrator would do. What I am looking for is a self-registration.
This question above highlights my confusion with these approaches, I don’t know if the way I want to proceed is correct or secure? Can someone explain the differences between these methods of authentication? Why choose one over the other? Is my plan to use the self registration a bad idea or insecure for J2E Model?
Upvotes: 2
Views: 503
Answers (2)
Reputation: 1256
If you store your user ids and passwords and roles in your database and validate user input against that, you are on your own thereafter. What that means is that later when you may want to restrict access to a particular content for a specific set of user roles, you will have to look up the role stored in your db table against the user and write code that allows/restrict the user.
However if you 'push' the user to the underlying container, then the container can do most of the stuff the application's behalf (that is where the stuff about realms and roles etc come in). A good starting point to understand this is to read a tutorial on JAAS
Upvotes: 1
Reputation: 3157
I think you are confused between users and roles. In your web.xml you have to associate roles to resources, for example "all the requests to /admin should have role Administrator", and then, you create users under your administration tool and asign to that users the proper roles.
Upvotes: 0
Related Questions
- Java Servlet JDBC authentification
- jsp container vs servlet container
- Options re JSP Authentication
- Java servlet and authentication
- How to use servlet and jsp with authentication?
- Authentication and Authorization in servlets
- user authentication using servlets / glassfish : security concern
- Authentication Via Servlet
- Servlet security authentication
- servlet authentication and further reference to the credentials