I want to use J2EE role-based security. I also want my users to have telephone numbers. How do I accomplish both these things at once?
In more detail: when a user logs in to my app, I need two pieces of information:
(1) some credentials and principals to apply to my application's security roles, and
(2) some generic information about the user.
I have some idea how to accomplish (1) by itself. JAAS is straightforward, and seems like the right mechanism to use for logins -- especially since there are numerous LoginModules available, and our customers can hopefully find one to suit their needs.
However, our application also needs to keep some user metadata, such as a telephone number or a location, associated with the user based on their login. JAAS clearly doesn't address this directly. So how do people generally handle this?
Should I customize or write from scratch my own LoginModule, and create my own custom Subject with the field that I want? This is good in that it allows me to store all user information in the same place -- I can have an LDAP record with the username, password, and phone. But it's bad in that I'm now in the business of rolling my own LoginModule, which seems to remove some of the benefit of JAAS.
I could also keep user data in a database, and associate it with logins that come from some other system. But that just seems messy.
So how do people do this? I can't imagine I'm the first person to encounter this problem. Hopefully somebody out there has some useful advice....
If you are using jboss 3.0.3, you can use ProxyLoginModule to achieve this. Basically, it delegate LoginModule to your own LoginModule to do non-role-based authorization Login. and then chain these two login modules up.