2 Replies Latest reply on Aug 18, 2006 5:38 PM by smokingapipe

    What's the best way to secure "user" pages (login)?


      Like all other web apps out there, we have Users who can sign up and get a password, and then they log in. I have a handy LoginAction session bean which handles the login part of it. It checks the password and if the user si correct, the user is installed in the session.

      Back in the days of servlets, I would always have a simple authentication filter that would just look in the session to see if this user is logged in.

      Is that still the best way to do this, or is there some nicer way?

      I was thinking of using JAAS but that looked like a nightmare of complexity compared to a plain old Filter.

        • 1. Re: What's the best way to secure

          Advantage of JAAS is that it deeply integrated into JEE. EJB3 allows you to have method access security, Seam gives you isUserInRole, userPrincipal components, Tomahawk gives you attributes to disable/hide the JSF component and probably some more which I'm unaware of :). The one thing I haven't seen is a nice way of authenticating using a Seam component.

          It is a bit difficult getting JAAS set up, but once all the xml files are correct it does 'just work'; there is a security example on the wiki which should get you going (be careful to put all the xml files in the correct archive and in the correct place (META-INF or archive root)).

          • 2. Re: What's the best way to secure

            Thanks, I'll give that a try. It would be disapointing to have something as modern as Seam and then have to write a dumb old filter again. Also I do want fine-grained security. Like I might have a changeCreditLimit() method, and only an Admin should be able to call that. I know that JAAS can manage stuff like that. So I'll grind through whatever XML madness I need to do to get it working.