We distribute our web-application to our customers as a .war file. That way, the user can just deploy the war to their container and they’re good to go. The problem is that some of our customers would like authentication, and use the username as a parameter to certain operations within the application.
I know how to configure this using web.xml, but that would mean we either have to tell our customers to hack around in the war file, or distribute 2 separate wars; one with authentication (and predefined roles), one without.
I also don’t want to force authentication on our customers, because that would require more knowledge about Java containers and web servers in general, and make it harder to just take our application for a test drive.
Is there a way to do the authentication configuration in the container, rather than in the web-app itself?
In web.xml, define security constraints to bind web resource collections to J2EE roles and a login configuration (both for the customers that want access control to some of the resources of your app).
Then, let the customers bind J2EE roles defined in your web app to user groups specific users ans groups defined on their app servers. Customers that do not want any access control may bind all roles to unauthorized users (name of that user group is specific to appserver, e.g. Websphere calls that ‘Everyone’). Customers that want to restrict access to a resource(s) in your webapp to a limited set of users or a user group may do so by binding the roles to users/groups per their’s needs.
If an authentication is required to verify user’s membership in a role, then the authentication method specified in login config in your web.xml will be used.