Java Reference
In-Depth Information
Securing web applications
It is a common requirement to only allow certain users to access certain pages in a
web application. Before a web application can be secured, a
security realm
needs to
be set up in the application server where the application will be deployed. Security
realms are essentially collections of users and security groups.
Each security realm allows the application server to obtain security information
from some sort of permanent storage. This security information could be stored
in a simple flat file, a relational database, an LDAP repository, or any other kind
of persistent storage. Configuring the application server to obtain the security
information from any kind of persistent storage allows us as application developers
not to have to worry about the specific implementation. We simply configure our
application to use a defined security realm for authentication.
Each user can belong to one or more security groups. Secured pages in a web
application are only accessible by certain security groups.
The procedure of setting up a security realm varies from application server to
application server. In this section we will use a pre-configured GlassFish security
realm called file. Consult your application server documentation for information on
how to configure security realms.
There are four different ways we can authenticate a user. When accessing a page
using
Basic Authentication
, a browser pop up window is displayed asking the user
to enter his credentials.
The advantage of this approach is that it is the easiest to implement. Disadvantages
of this approach include the fact that by default passwords are not encrypted, and
that the login page is not very elegant. Another disadvantage of this approach is that
there is no way for the user to log out, other than closing the browser window.
