Search code examples
authenticationjavafxglassfishjava-ee-7

How to authenticate JavaFX client in JavaEE

I develop three-tier application with JavaFX on client side, JavaEE/Glassfish on server side and MySQL as a database management system. Also I used REST and JSON for transferring the data across network.

Now I try to configure an authentication using JavaEE security means. I use declarative approach with annotations in enterprise beans, I've already configured Glassfish file realm (add user/group) and glassfish-web.xml descriptor (add group-name and role tags). JavaEE tutorial say that If all of needed preparations done then when client attempt to get the protected resource Glassfish should ask client for a login/password pair. I understand how it work if it would be a web-client, but in my case it is a desktop JavaFX client and I don't understand how Glassfish ask client in desktop application. How to make authentication mechanism with JavaFX-Glassfish?

Update

Authentication window popup if I try to call servlet from browser (Chrome, IE) and authentication mechanism is able to work. But when I open JavaFX window I see nothing (white scene). Here is the code of class (JavaFX WebView), which I unsuccessfully used to open login window:

import javafx.application.Application;
import javafx.geometry.HPos;
import javafx.geometry.VPos;
import javafx.scene.Node;
import javafx.scene.Scene;
import javafx.scene.layout.HBox;
import javafx.scene.layout.Priority;
import javafx.scene.layout.Region;
import javafx.scene.paint.Color;
import javafx.scene.web.WebEngine;
import javafx.scene.web.WebView;
import javafx.stage.Stage;

    public class WebViewSample extends Application {
        private Scene scene;

        @Override
        public void start(Stage stage) {
            // create the scene
            stage.setTitle("Web View");
            scene = new Scene(new Browser(), 750, 500, Color.web("#666970"));
            stage.setScene(scene);
            scene.getStylesheets().add("webviewsample/BrowserToolbar.css");
            stage.show();
        }

        public static void main(String[] args) {
            launch(args);
        }
    }

    class Browser extends Region {

        final WebView browser = new WebView();
        final WebEngine webEngine = browser.getEngine();

        public Browser() {

        getStyleClass().add("browser");
    webEngine.load("http://localhost:8080/ForthDynamicWebProject/FirstServlet");
        getChildren().add(browser);
            }
        }
Solution

  • You should not use standard Java EE cookie authentication here because your client is desktop application.

    You can use Token authentication solution. The below is a guide.

    1. Login servlet: This servlet will verify userName and password. If verification is success, the servlet will return a token contains userId, roles, expires ... etc. You can use JWT (Json Web Token) format. Token will be generated/validated by server using a secret key.

    2. Login scene - JavaFX: When login button pressed, the app will send login request to the login servlet. If login is success, the app will receive a token and save the token in a secret storage for later uses. In memory should be ok.

    3. For subsequent HTTP requests (JavaFX): The app need to resend the token (via header etc). The server will validate the token BEFORE actual resource get invoked. If the validation is success, request is consider as authenticated. You can use JavaEE Filter to validate the token.