Java EE JDBC Realm

Question

when using a JDBC realm for authorization I usally have this tables:

1. User table
2. Role table
3. Group table

When I now login with username, password the security module makes a lookup in the table: give me all roles for user: username .

Can I somehow hook into the process and add another attribute? Eg give me all roles for user: username where UserTable.X = Y ?

Note: I must use pure Java EE

Answer 1

There are some possibilities to achieve the desired behavior.

1. The easiest solution would not be to customize the login process, but to use a manual lookup using perhaps a @WebFilter or some similar approach.

2. If you need or want to customize the login process itself have a look at JASPIC (relatively new). In the version 1.1 it is quite usable, but its support depends on the application server you are using. The idea is to write an own login process and pass a custom Principal back to Java EE. Here is a nice collection of links: Zeef

3. An older approach to customize the login process is to create an application server specific security realm. In other words you are writing or extending the JDBC Realm that is currently used by your application server. You can then also pass a custom security principal back to Java EE.