Java Web Application: Using a custom realm

Question

I\'m writing a java web application which need to perform login through a webservice. Of course, none of the realms supplied with the application server I\'m using (glassfish v2

Answer 1

Is there any standard or widely supported way to implement a custom Realm? Is it in any way possible to deploy that realm from a .war, or does it always need to be loaded from the server's own classpath?

There absolutely is a standard way to implement a custom Realm, or in more general terms a custom authentication module. This can be done via the JASPIC/JASPI/JSR 196 SPI/API. JASPIC is a standard part of any full Java EE 6 implementation, but unfortunately not part of the Java EE 6 Web Profile.

However, despite JASPIC being a part of Java EE 6, it's not being optimally supported by vendors. GlassFish and WebLogic seem to have very good implementations, JBoss AS and Geronimo are a bit more problematic. The lead engineer from JBoss on this topic (Anil Saldhana) has even stated that he refuses to activate JASPIC by default for the moment. A few of the most severe bugs in Jboss AS 7.1 have been recently fixed, but as there are no public releases of JBoss 7.1.x scheduled anymore and JBoss AS 7.2 is still some time away it means as of now at least on JBoss JASPIC is troublesome.

Another unfortunate issue is that the actual authentication module may be standardized, but there's no declarative way (read XML file) to configure it that's standardized.

Is it in any way possible to deploy that realm from a .war, or does it always need to be loaded from the server's own classpath?

With JASPIC, the authentication module ('realm') can indeed be loaded from a .war. I'm not 100% sure whether this is guaranteed by the spec, but of the 4 servers I tested (GlassFish, WebLogic, Geronimo and JBoss AS), they all supported this. Geronimo unfortunately has some kind of race condition in its programmatic registration, so you need an ugly workaround by doing a hot deploy twice, but it in the end if does load the module from the .war.

As of the proprietary mechanisms, at least JBoss AS has always supported loading the module (e.g. a subclass of org.jboss.security.auth.spi.AbstractServerLoginModule) from the .war or .ear.

I wrote a blog post about this topic recently that has some more details.