Java EE 6 Programmatic security, glassfish and JDBC realm

Question

I\'m exploring pure Java EE ways of doing programmatic security, especially login users, based on the jdbc realm from my glassfish server.

So basically, in my login

Answer 1

A purely programmatic approach in a portable (pure Java EE) way is not possible when you use container specific (proprietary) login modules such as the GlassFish JDBC login module/realm.

There is an API in Java EE 6 for this: JASPIC. With that API (SPI technically), you can build portable authentication modules AND configure them fully programmatic without the need for any declaration.

I wrote a blog article about this that hopefully provides you with some more details.

Answer 2

Well, there are two aspects to security in web applications : Authentication and Authorization. What you are using here is programmatic authentication (the way users are logging in) and declarative authorization (defining what users are allowed to see). There is no issue in mixing both, in my opinion.

If you keep your realm in your web.xml, your application will be more portable. (meaning you can deploy your war in e.g. a tomcat server without changes).