• Post Reply Bookmark Topic Watch Topic
  • New Topic

manage users for programmatic security  RSS feed

 
D. Formenton
Ranch Hand
Posts: 48
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I would like to add to my JSF application the programmatic security concept, but I wold like to know if it is possible to manage the realm /users of grassfish v. 3 server with a jsf page, to avoid to configure the server for any new user.

Thank you.

D. Formenton
 
Kamal Wickramanayake
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My advice is to look at Spring Security. You don't have to care about what your application server is. You can go about fine grain access controlling. It's not difficult to add Spring Security to an already available application. Have a look at the following:

Using Spring Security in your Java web application

[ UD: removed off-topic links ]
 
Tim Holloway
Bartender
Posts: 18663
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Programmatic security is not considered the optimal way to secure applications. Programs can have bugs and the last place you want bugs is in security. Plus changing the security architecture requires rewriting the security code, and that often means modify the application logic.

Declarative security is preferable, where possible. Because, unlike program code, declarations have a fairly small number of possibilities, it's much easier to secure an application and it's often possible to design, build, and test the app without including security code within the application itself.

The J2EE standard provides role-based declarative security as a built-in feature, controlled by definitions in the web.xml file. This is quite adequate for many web applications. For more extensive/finer-grained control, you can pair it with a third-party framework such as Spring Security.

Most application developers - and architects - have no business designing their own custom security systems. They invariably do it very badly. It takes both an especially evil mindset and a pretty extensive amount of education to know how to design and implement a security system. And even the pro jobs get exploited on occasion. Far better to let someone else be responsible for that part of the system. Use a rtrusted security framework.
 
leo donahue
Ranch Hand
Posts: 327
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
D. Formenton wrote:Hi all,
... to avoid to configure the server for any new user.


I really don't understand your question. You do not want to manage users/roles in glassfish? If not you, who is going to be adding users/roles then? The users?

I agree with Tim that declarative security is the way to go.

Did you read any of this?: Realms
Are you saying you don't want to use a file Realm?
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!