What's the best way to secure "user" pages (login)?

smokingapipe Aug 18, 2006 5:18 AM

Like all other web apps out there, we have Users who can sign up and get a password, and then they log in. I have a handy LoginAction session bean which handles the login part of it. It checks the password and if the user si correct, the user is installed in the session.

Back in the days of servlets, I would always have a simple authentication filter that would just look in the session to see if this user is logged in.

Is that still the best way to do this, or is there some nicer way?

I was thinking of using JAAS but that looked like a nightmare of complexity compared to a plain old Filter.

1. Re: What's the best way to secure

pmuir Aug 18, 2006 5:30 AM (in response to smokingapipe)

Advantage of JAAS is that it deeply integrated into JEE. EJB3 allows you to have method access security, Seam gives you isUserInRole, userPrincipal components, Tomahawk gives you attributes to disable/hide the JSF component and probably some more which I'm unaware of :). The one thing I haven't seen is a nice way of authenticating using a Seam component.

It is a bit difficult getting JAAS set up, but once all the xml files are correct it does 'just work'; there is a security example on the wiki which should get you going (be careful to put all the xml files in the correct archive and in the correct place (META-INF or archive root)).
Actions
2. Re: What's the best way to secure

smokingapipe Aug 18, 2006 5:38 PM (in response to smokingapipe)

Thanks, I'll give that a try. It would be disapointing to have something as modern as Seam and then have to write a dumb old filter again. Also I do want fine-grained security. Like I might have a changeCreditLimit() method, and only an Admin should be able to call that. I know that JAAS can manage stuff like that. So I'll grind through whatever XML madness I need to do to get it working.
Actions

Go to original post