I am starting a J2EE application and would like to use xml files to set out various security roles and use these when checking for valid users. The number of users will change quite often.
The intention then is to use form-based authentication since this seems quite secure.
I understand that the roles must be set out in web.xml and the users in each role in users.xml.
Our software will must allow users to be added while the server running. Surely this means that the xml files must be updated, possibly while another user is possibly accessing it.
Is this possible and what are the implications of this???
Is the alternative just to access the database via a single servlet and not use digital certificates or HTTPS client authentication?
Any comments would be much appreciated.
Have your ejb container do the authentication. Most app server vendors provide authentication support where user credentials can be stored in the database.
Map the roles to groups, not to individual users. Most if not all app servers can handle them. Thus, the XML files will be static. When a user attempts to log in, once the authentication is successful, the server will check whether any of the groups the user is in has access to the resource. You can enhance the logic as needed.
And, as already suggested, do not use files to persist the user information. Use a database or LDAP.
Also, the authentication mechanism is an altogether different issue.
Have a look at JAAs http://java.sun.com/j2se/1.4/docs/guide/security/jaas/tutorials/index.html
and in Mastering EJB. might find it usefull if you use any ejbs