User authentication in Java EE with enum

0
votes

I was thinking about using Java EE without any framework (eg. Spring), if possible, to perform user authentication. I use PG, JPA, JSF, Java EE, Glassfish and EJB in my project.

In Glassfish web.xml would do it for me. Problem is, that I found a lot of possibilities to do it with 3 tables - USER, USER_IN_GROUP and GROUP, and none to do it with enum role and just 1 table - USER (with role as a column), which should be imo much easier and lighter.

Role enum like:

public enum Role {
   User, Admin;
}

User entity like:

public class User implements Serializable {
   @Id
   @GeneratedValue(strategy = GenerationType.IDENTITY)
   private Long id;

   private String nick;
   private String pass;

   @Enumerated(EnumType.STRING)
   private Role roles;

   //Getters and Setters
}

In web.xml I use Basic method to test credentials.

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>issuetrack-realm</realm-name>
</login-config>
<security-role>
    <description/>
    <role-name>User</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>Admin</role-name>
</security-role>

The Realm using JDBCRealm looks like this: Realm in Glassfish

After I try to login it says: Warning: WEB9102: Web Login Failed: com.sun.enterprise.security.auth.login.common.LoginException: Login failed: Security Exception.

Any suggestions?

Login failed: Security Exception was just a problem in setting of the realm. I don't secure my password in db and I left Digest Algorithm empty = SHA-256.

The real problem is with roles there. I can't get in my app with this setting because there is a nickname principal instead of groups name (REALM setting from db).

2
jakarta-eejpaenumsglassfish
Your questions seems to be duplicate of this one: stackoverflow.com/questions/7941713/…geekprogrammer
No no, I saw this one and I wouldn't write if it was the same. My problem is with the realm, that question had problem with password.Polostor
The problem with your idea is that there is inherently a many-to-many relationship between users and roles/groups which cannot be modelled easily using a single table. Your model restricts each user to a single role. You could do this, but you would have to implement and install your own login module rather than making use of one that is built-in to your server.Steve C
@SteveC I guess there has to be some simple solution for this. I know that not often the business logic is made by just one role, but it is the simplest solution and therefore I would understand it as there should be at least equally easy solution for it.Polostor

2 Answers

2
votes

Actually you should be fine with your realm settings with tiny changes

Try to set values for 

Group Table User Name Column: roles
Digest Algorithm: none

Also in your question you did not provide the way you map your groups(you call them roles) to roles. To keep thing simple Group is what is in your DB and Role is what you define in the WEB application. This should be done in an application server specific descriptor. In your case, assuming you use the latest GF version it is glassfish-web.xml and because you use the same names for groups and roles, it should look something like the following

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN"
        "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app>

.............

    <security-role-mapping>
        <role-name>Admin</role-name>
        <principal-name>Admin</principal-name>
        <group-name>Admin</group-name>
    </security-role-mapping>

    <security-role-mapping>
        <role-name>User</role-name>
        <principal-name>User</principal-name>
        <group-name>User</group-name>
    </security-role-mapping>

..............
</glassfish-web-app>

However I would think twice before implementing security this way. Your user could have the only role and you loose quite a bit of flexibility the framework offers you. You may want to consider a list of roles for a user and you can use @CollectionTable annotation in this case. Nevertheless what you are trying to achieve is definitely possible and it works perfectly with GF.

1
votes

I suggest you to consider delegating all your user-management needs to Stormpath. With Stormpath, you do not need to worry about such low-level concerns, all your data is securely managed and stored. Stormpath provides:

  • User management API with different SDKs: node.js, express, java, rest, python, flask.
  • Off the shelf Hosted Login: login, registration, and password reset.
  • Off the shelf ID Site to power Single Sign-On across your applications
  • API keys for your users, secured with HTTP Basic Auth or OAuth2
  • Social Login: Facebook, Google, LinkedIn, Github
  • Integration with Shiro and Spring Security
  • Integration with Active Directory and LDAP

With Stormpath you will only need to create Groups which will represent your roles. Inside your groups and accounts, you can also create finer-grained concepts like permissions using our flexible Custom Data concept.

Disclaimer, I am an active Stormpath contributor.