Search code examples
jakarta-eeservletsjava-ee-6web.xmljaas

Form-based authentication, but with custom authentication method in Java EE 6

Short version: In pure Java EE 6, is there something like Spring's Authentication Processing Filter, which customizes form-based authentication?

Long version: I'm working on a pure Java EE 6 web application (JSF2, CDI), which must be independent of the concrete Java EE 6 container used later.

JSF2 pages with restricted access are stored in a sub-folder /pages. In my web.xml, I defined the following to restrict access to those pages:

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>??????????</realm-name>
    <form-login-config>
        <form-login-page>/login.jsf</form-login-page>
        <form-error-page>/access_denied.jsf</form-error-page>
    </form-login-config>
</login-config>

<security-constraint>
    <display-name>pages_auth</display-name>
    <web-resource-collection>
        <web-resource-name>pages</web-resource-name>
        <url-pattern>/pages/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>AuthenticatedUser</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
    <role-name>AuthenticatedUser</role-name>
</security-role>

As indicated by the "????" in the code above, I can't use one of the pre-defined realms like JDBC, because the autentication to use is very custom (nasty detail: credentials are checked against an ugly legacy system) and requires some Java coding.

I expected that I could create a new class implementing some interface overriding some authenticate method with the parameters "login" and "password" returning a boolean to denote a successful authentication.

However, after reading several hours on the topic, I'm totally lost :-( Do I need to implement a JAAS LoginModule and Realm? This looks very complicated to me. Or is there another standard Java EE 6 way to do it? Or do I need to go the way of implementing a ServletFilter instead?

Solution

  • I ended up using Spring Security. It seems with Java EE 6 libraries, it is not easily possible to implement a custom authentication provider. Of course you can implement everything from scratch using servlet filters, but that's in my view too error prone. Spring Security seems to be a good solution even though it adds many libraries to my webapp, which I hoped I could get around without.