basic/digest authentication implementation in Java server code/web server

Question

We need to support basic authentication and later digest authentication in Java web project. My doubt is

• Whether basic/digest authentication is a configuration in web server (tomcat, jboss etc).Our users/password are in a SQL database and we get these through dataservices. In this case how I can configure the web server to use the dataservices to authenticate?
• Whether I need to handle explicitly in code for basic/digest authentication? Like I will receive authentication request from Servlet and will connect to dataservices for authentication?

Answer 1

Basic and Digest authentication are covered by the servlet specification. Read the spec or this tutorial to know how it works.

Where the credentials are stored and how they are checked is at the discretion of each container, though. Tomcat supports a variety of Realm implementations (file-based, JDBC based, LDAP-based, etc.) Don't know for JBoss.

Answer 2

In Java EE security is by default declarative. This means you only specify what resources you'd like to be protected via an abstract concept called a Role.

Adding to the answer of JB Nizet, the JBoss AS specific login modules (roughly equivalent to Tomcat's Realm implementations) can be found here: http://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Login_Modules.html

Remarkably unknown to many (as it seems), Java EE 6 also supports standardized authentication modules. These are the file-based, JDBC based, etc that are normally considered to be Application Server/Container specific.

This is done via the so called JASPIC API (aka JASPI, aka JSR 196), see e.g.:

• JBoss AS7: Enabling JASPI Authentication for Web Applications
• Implementing a custom authentication provider using JASPI
• Pluggable Authentication in the Glassfish Web Tier

Unfortunately the adoption of JASPIC/JASPI/JSR 196 seems lackluster at best. For the moment people seem to trust the AS specific realms, login modules and what have you much better, or just aren't aware of the alternatives.