I'm a beginner and I need someone's advice on such subject:
I'm writing an j2ee application and I store user data as an entity bean. In this bean I keep the passwords and login's too.
Now I'm implementing the web interface and I'm wondering how to secure it. I'm using jboss and it is using jaas. I think that I should write a custom login modulo which would take the data from EJB, is this a good idea ? If not what solutions are better?
It depends on your requirements, especially how fine-grained you need security to be. If you have your user data in a relational DB already, and it is sufficient to assign various roles to them after they are authenticated, it may be sufficient to use servlet security (i.e., setting up a realm, and hooking it up in your web.xml). It#s a programmatic approach, where you check whether a user has certain role before executing actions that require specific role privileges. If you want/need to handle access declaratively, possibly even on a per-method basis, JAAS would be the way to go. JAAS is much more powerful, but also a lot more involved to implement.