I’ve spent almost entire day with JSF authentication and I think I’m totally lost. I want to have authentication that will be flexible.
Most people said that “HTTP FORM based authentication in conjunction with JDBC realms” is the best.. but in my opinion is a little bit.. not flexible. I don’t want to set database name, and tables where will be username, password, group etc. as constant.
So my question is: What is the best way in case when I’ve web-service (JAX-WS, WCF etc – that is not important I think) that has a method which returns whether username and password are correct? When I’ve a function that will connect to DB itself to check whether user and password is ok.. I need only the whole mechanism that will care about which page display (login page or “requested” page). And in case login page, it will use my webservice method to check it..
btw. Is there any good article that will compare and say what method in which case should we use ?
PS. Sorry for the topic if it’s bad, I don’t have any better idea :/
EDIT:
Other words: Here is an example how to use Realm and form based authentication.
I must have DB, with User Table, User Name Column, Password Column, Group Table etc. Right? I have to configure my domain with this… But, what If I don’t have an access to database? I have access only to web-services, which will tell me whether user and password are correct..
Which user authentication method should I use in this case ?
One way to do it is use a custom realm that connects to the web service instead of the database.
How to do so is partly standardized (with JAAS), but still depends on the application server.
For glassfish, see this very similar question and answer: Java Web Application: Using a custom realm to perform login through a webservice
The other way would be to not use Java EE security, and handle all security yourself in the web app (e.g. with filters, etc.). I would try first the Java EE compliant way with a custom realm.