https://stackoverflow.com/questions/23325352
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianFirst of all I have no earthly reason why glassfish does not provide a better default security realm. JDBCRealm does not support salted user passwords, and also does not support the more modern hashing techniques such as PBKDF2 etc...
That being said, I think if you want to use the default JDBCRealm, here is a way to make it enforce access to certain pages for only "active" users.
Have three tables similar to the ones below (these are for postgres).
CREATE TABLE users
(
user_id serial PRIMARY KEY,
email character varying(255) NOT NULL UNIQUE,
passhash character varying(255) NOT NULL
);
CREATE TABLE users_groups
(
users_groups_id serial PRIMARY KEY,
user_email character varying(255) NOT NULL REFERENCES users(email),
group_name character varying(20) NOT NULL REFERENCES groups(group_name)
);
CREATE TABLE groups
(
group_name character varying(20) PRIMARY KEY
);
Instead of an is_active column on the users table, make an "active" group. Then you can enforce access to portions of your web app to members of that group/role (make sure to set up the mapping between groups and roles properly).
For example, if you wanted all urls to only be accessible by "active" users, you could put something like the below in your web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>private</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>active</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
I assume you got your password hashing code working properly, and the db tables set up successfully with glassfish? It is arguably a pain in the neck.
Documentation on working with roles/groups: http://docs.oracle.com/javaee/6/tutorial/doc/bnbxj.html
