Java EE 6 App different login methods

StackOverflow https://stackoverflow.com/questions/15508909

Question

I´m currently developing a "basic" Java EE 6 application with JSF (frontend) and JPA, EJB, and CDI (backend). Everything works well so far.

For the login part I've chosen form-based authentication together with a JDBC-Realm.

Now I like to offer some REST services (Jersey), which will be consumed by mobile devices. Therefore I need to add a second way to authenticate. But from my point of understanding there can only be one at a time.

I already tried to some PoC but every time I invoked a REST service which requires a valid user, the service redirected to the login page.

Are there any best practices how to handle this kind of problem?

Is it possible to add Oauth to the current login mechanism, because I don't want to send user/pass or the session id with every request. Some kind of token would be great.

Was it helpful?

Solution

If your application requires different authentication mechanisms for different services, then the login modules that are shipped with most Java EE implementations (servers) don't really suffice.

You probably have to take matters into your own hand by writing a custom login/auth module. Java EE 6 has an API for that: JASPIC. Alternatively you can use the proprietary login module API of your specific server.

In that login/auth module you can inspect the request, determine to which service that request belongs, and then delegate to the appropriate "real" module.

I wrote an article about JASPIC some time ago that might get you started.

Servers often have an option to stack login modules. This is a proprietary feature so there's a very remote chance that one of them allows stacking auth mechanisms.

OTHER TIPS

But from my point of understanding there can only be one at a time.

That's not entirely correct. You can only have one container-managed configuration, but you can have as many as you want if you use programmatic login or a third party framework.

I already tried to some PoC but every time I invoked a REST-Service which, requires a valid user the service redirected to the login page

In web.xml where you defined your security constraints, exclude the REST portion of the application in order to bypass the container managed authentication mechanism then authenticate programmatically or use a third party solution.

Are there any best practices how to handle this kind of problem.

This will would likely result in debate, so I will not attempt to answer it.

Is it possible to add Oauth to the current login mechanism, because I don't want to send user/pass or the session id with every request.

Yes. There are probably a multitude of others, but I'm familiar with Seam Social (which is becoming Agorava). These two claim to support Google, Facebook, and several others. You could also write your own OAuth authenticator for Apache Shiro.

An alternative is to package your application as an EAR with the web UI and REST interfaces separated into individual web modules. This would allow you to configure each web module independently via it's web.xml

You may add custom servlet named something like AuthServlet and setup it be public available using security-constraint (it even may be Jersey @POST method btw) and use programmatic authentification.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top