Java EE authorization using Roles defined in database, in Glassfish

0
votes

I want to have authorization in my Java EE application.

Online it describes how you should define the roles in sun-web.xml. However I would like to have all my roles, and groups defined in a database table.

That means, when I access a method for my application, the request needs to be intercepted to see if the user is allowed in the role.

Do I need to

  • create some kind of interceptor class that checks auth as user makes call to my web service method
  • create a custom Login Module that fishes out the group and role data from the database when a user first logs on

Any pointers would be really helpful.

1
javajakarta-eeglassfishauthorizationjaas

1 Answers

0
votes

First of all: I would strongly suggest using standard authorization mechanisms.

But for your use-case these standard mechanisms won't work, see this post: dynamic roles on a Java EE server

Roles have to be declared in the web.xml or sun-web.xml.

Frameworks

The next thing I would look into are frameworks, that could help you with that. The link will provide you with two suggested frameworks.

Building your own

If you don't need it for productive purposes, I would suggest the following:

  • use Filters to check for authorization and authentication: Filters a fairly easy to use ,very powerful and often used for security purposes: See http://docs.oracle.com/javaee/6/tutorial/doc/bnagb.html for more information about filter.
  • For the login, you could probably just stick with the standard form-based login.