Search code examples
tomcatwebspheresecurity

Common alternatives to web container managed security?

What are common alternatives to using the Tomcat (or Websphere) container-managed security?

I have an unpleasant security library that pulls authorization and authentication from multiple places, and will initially be on Tomcat for early development, followed by late development and production on Websphere. Rather than the hack-a-doo needed to get a custom realm set up through JAAS for Tomcat followed by another hack round on WAS, are there any common alternatives out there?

I've only ever done realm-based security on Tomcat. I have seen some interesting home brew approaches such as monitoring a user object in the session http://www.vitarara.org/cms/struts_2_cookbook/creating_a_login_interceptor. I'm also curious how wiki pages (for example) with http://host.com/view.jsp?a_wiki_page manage to keep roles straight since this seems to be commonly needed for wikis and bbs, and maybe this is my solution?

Any advice?

Solution

  • Spring Security offers a comprehensive, container-neutral approach that I have successfully used on both WebSphere and Tomcat (particularly building / testing on Tomcat and deploying on WebSphere).

    What I really like about the framework is that it gives you an application-centric, source-neutral view of the current user and their authorities in the application. So that means that you can load the user and the authorities from anywhere, and only the configuration need be concerned with where it comes from (LDAP, database, property file, in-memory testing object, SAML assertion, etc.)

    It also gives you a lot of fine-grained authorization control (URL-based and method based) that you simply don't have defined in Java EE Security. You can use regular expressions and Ant-style expressions for pattern matching that you wouldn't otherwise have. The expression syntax is also quite rich. If you need to do data-specific access control, DDL is provided for you to add to your database and integrate directly into your security.

    Spring Security runs as a filter to all of your requests to the web container using the "/*" URL mapping (or whichever mapping you choose to secure).