Ok, we secured our JSF web application by using a JSF form. The user information is still stored in a flat text file. But as stated before, your application server provides more. This lesson, we move forward to GlassFish’s JDBCRealm, which allows you to store the user information within the database.
In your application you may provide a registration form, where the user enters username, some other data and her password. You may store this data all together in a table named â€œaccountâ€. Or you may store the credentials in a separate table called â€œuserâ€ for example. Feel free to persist the data as it is relevant to your application. You may store the password as clear text or hashed by a well known algorithm like SHA256. All the container needs is access to a table (or view) which contains username and password in one row.
To access this table from your application as well as from the JDBCRealm, you need to setup a connection pool and an appropriate JDBC resource. I assume, you know how to do this. Otherwise, please refer to my first JPA part of this tutorial .
Beside the user table, a second one is used to access the user’s role. A column for the username is needed and a second one for the group. A user may be member in a couple of groups. If a user is assigned to exactly one group, it is possible to store this information in the same table as the password.
Let’s set up the realm. Open GlassFish console and choose Configurations, server-config, Security, Realms.
GlassFish displays an overview of existing realms. Click onto New… to create a new one.
- Provide a name of your choice. This name will be referenced in your web.xml configuration.
- Out of the combobox Class Name choose [xxx].JDBCRealm.
- JAAS Context has to be jdbcRealm.
- As JNDI enter the name you’ve chosen for you JDBC resource
- At User table provide the name of the table you store the credentials
- Username column: Enter the colname where you store the user name
- Password column: Same for password
- As Group Table provide the name where you store the group information. If a user can be in exactly one group and you store the group information in the same table as the credentials, enter the same name here.
- Group table User Name Column: This column provides the same username as the user table, even though it’s name might be different
- Group Name Column: The column which contains the group name
- Password Encryption Algorithm: As stated before, you may store your password as plain text or encrypted. It’s highly recommended to use encryption. Choose the algorithm you use. Remember MD5 or SHA1 are known to be insecure. Prefer SHA256 or SHA512 for example.
- Digest Algorithm: Provide the same algorithm
- Encoding: You may store the encrypted password as hex string or base 64 encoded. This property defines the encoding (Hex or Base64)
- Charset: The charset you use to store the password. You may use UTF-8
Store your config.
If you prefer configure GlassFish by editing a config file, here it is:
Open the file YourGlassFishRootDirectory/glassfish/domains/yourDomain/config/domain.xml.
Locate the tag security-service and add the auth-realm as shown below. [snip] indicates text omitted for brevity. This tag appears twice, for default and active config!
[snip] <security-service activate-default-principal-to-role-mapping="true"> <auth-realm classname="com.sun.enterprise.security.ee.auth.realm.jdbc.JDBCRealm" name="jdbcRealm"> <property name="jaas-context" value="jdbcRealm"></property> <property name="encoding" value="Hex"></property> <property name="password-column" value="Hash"></property> <property name="datasource-jndi" value="jdbc/tutorial"></property> <property name="group-table" value="Group"></property> <property name="charset" value="UTF-8"></property> <property name="user-table" value="User"></property> <property name="group-name-column" value="GroupName"></property> <property name="digestrealm-password-enc-algorithm" value="SHA-256"></property> <property name="group-table-user-name-column" value="UserName"></property> <property name="digest-algorithm" value="SHA-256"></property> <property name="user-name-column" value="UserName"></property> </auth-realm> [snip] </security-service> [snip]
Make sure you stopped your GlassFish before editing this file and restart it afterward.
Once we have defined the realm (and stored some credentials + groups into the tables), the only thing to do is to edit the security configuration within web.xml.
All you have to do, is to exchange the realm. Replace file by JDBCRealm.
Or, within the xml view:
Next, I’m going to talk about a custom realm before moving on to JSAPIC. Stay tuned!
Go to web development tutorial table of content.