The new Java Magazine is out now, featuring a lot of useful articles about enterprise Java - not so much Java EE as a platform, but individual services that can be useful as part of a larger solution. See below for an introduction to my article on Custom Servlet Authentication Using JASPIC, also featured in the magazine.

When you build web applications using Java EE, you often need to work with some organization-specific user repository for authenticating users and obtaining a user’s

groups. Typically users are defined in a specific database, a strange LDAP configuration, or some other user-identity store specific to the project. All Java EE application servers ship with the capability to integrate with a common set of identity stores. For example, GlassFish Server ships with several so-called realms: file, LDAP, JDBC, Oracle Solaris, PAM, and certificate.

Each realm needs to be manually configured, and the configuration is specific to the application server and outside the control of your application. If the predefined realms don’t it your needs, you then need to develop an application specific module to extend the capabilities using application server–specific APIs. Many developers faced with this prospect build some custom code in the web application, which integrates with their required identity store and uses application-specific mechanisms to manage authentication and authorization.

The problem with this approach is that these developer designed mechanisms for managing authentication are not integrated with the application server, so the standard Java EE security model does not apply, the power of Java EE APIs such as isUserInRole and getUserPrincipal can’t be used, and standard Java EE declarative security fails. In this article, I examine an alternative solution that is tucked away in Java EE. I expect readers to have a basic working knowledge of Java EE and its authentication mechanisms.

To continue reading, see page 25 of the August/September 2016 issue of Java Magazine.