Skip to main content

GlassFish Security book FAQ 1: Custom Security Realm in GlassFish

Posted by kalali on May 18, 2010 at 12:06 PM PDT

I decided to write down the answer for some questions which my book's readers email me or ask me via twitter in my weblog so everyone can benefit from the answers. Here is the answer to the first question which involves custom security realms.

GlassFish supports 5 types of security realms out of the box which are sd follow:

  1. File Realm: Usefull for development and testing purposes. GlassFish provids a user/ group management interface for this realm. We can add user and groups using the administration console. When using this realm all usernames, passwords and groups are stored in a plain text file.
  2. JDBC Realm: In production environment we store user information including but not limited to username, passwords and groups in an RDBMS and then configure a JDBC realm to authenticate the given credentials againts the information stored in the datase.
  3. LDAP Realm: Sometimes we have all user details stored in an LDAP like Active Directory or Redhat Directory Server, OpenDS or Sun Java System Directory Server Enterprise Edition.
  4. Solaris Realm: This realm is used to authenticate users with a Solaris user directory.
  5. Certificate Realm: The certificate realm allows us to conduct mutual SSL authentication based on the client certificates.

Sometimes our users information is stored in a silo different than all of this mentioned storages and we need to use that source for authentication and access control. For example assume that we have our users information including username, passwords and group membership stored in an Object Database and we need to authenticate our enterprise application's users with that storage. In such times we should either think about having a synchronized RDMBS keeping update user information and use JDBC realm for authentication and authorization or we should develop  a custom security realm which uses the object database as a source for authentication.

Setting up synchronization between the e.g object database and RDBS can be tricky while developing a custom authentication realm is much easier using GlassFish provided SPIs.

Second chapter of GlassFish security book discusses GlassFish security realms in details and discuss a sample application which uses these realms for authenticating and authorizing users. In the same chapter, developing custom security realms is discussed along with developing a sample realm.

In the same chapter GlassFish support for  JSR-196 (Java Authentication Service Provider Interface for Containers) is discussed to complete the ring of authentication and authorization in Java EE in general and GlassFish application server in particular.

Comments

Custom Realm Scenario

Hi Masoud, Suppose I want to use separate database and tables for authentication (based on the url pattern. "http://abc.myhost.com/somepage" will use "abc" db and "http://xyz.myhost.com/somepage" will use "xyz" db ). Is custom realm the answer ? . Or any better way ? Thank you Shilu

Do you have two seperate

Do you have two seperate applications deployed in the application server or both of these url patterns hit one single application?

Custom Realm

No there will be only one application . But users will have different urls for accessing it . Each user can consider their URL as a separate application and add other users to it.

You can not configure an

You can not configure an application to use more than one realm. Each application can only use one realm. Custom realm is not the answer for your problem because the custom realm makes it possible to use an user information storage not supported out of the box.

This is the solution I was thinking about

This is the solution I was thinking about by using a single custom realm
Problem :
If the application is accessed by URL "http://userone.mydom.com" , then the login information should be fetched from database "userone" . If it is accessed by URL "http://usertwo.mydom.com" , then the corresponding login information is from database "usertwo" .
Solution :
Using single custom realm , we can check the url pattern inside the custom LoginModule (which extends the AppservPasswordLoginModule) . Based on the extracted subdomain ( "userone" or "usertwo") , the appropriate database is selected to fetch the login information to be checked against the submitted usename and password. I am not able to see a problem here . Could you please explain a bit more ?