EJB design: How do I implement the login functionality using J2EE

  1. I have situation in which a lot of my bean methods are role based. In other words I use declarative security.

    How does the user actually log in. One way is form based loggin. But the EJBs are also accessed through swing app. How would the login work. If i do have a class which takes care of logging the user. How do I ensure that thats the class the form based logins also use for logggin in. Is user challenged with a screen for user id and password when he tries to access methods on beans or jsps which have been secured through the form based login functionality.

    Thanks in advance

  2. Check out


    Its a great way to handle autherntication. using JBoss for example, which has JAAS on be default, you simply edit config files and tell JBoss to use a particular LoginModule for a particular bean. the sample modules provided by sun include ones to authenticate against Solaris/PAM, an NT Domain, or (wahoo!) and LDAp directory.

    But you can hand roll your own and do all kinds of nifty stuff, and it will all be handled by the ejb container for you.

  3. Matthew definitely points out the most robust implementation in his article.

    As a side note, however, the simple way to do what you are requesting is to set the JNDI Authentication Properties and pass in those values as part of a Properties object tohe InitialContext() constructor. This will programmatically force an authentication as well. The security context given to you will be propagated to any EJB methods that are invoked.

  4. I have one more question based on JNDI based authentication. Say during a session i get an InitialContext by passing the credentials of the User. Will the user remain authenticated for the rest of the session implicitly or I will have to explicitly provide the same InitialContext() to get a reference to the HomeInterface of a Bean which provides role based access.
    Using PAM as Matthew suggested I remain logged in implicitly.
    The fact is I dont have the time to go into implementing PAM so I am looking to this JNDI thing to sort matters out for me for the time being.
  5. Your credentials will be held as long as you hold the reference to the InitialContext that you created. You could theoretically put the InitialContext into an HttpSession, but I don't think that is a good idea. Since you mentioned that your client was a Swing client, the client could easily hold onto the InitialContext (which you create at the beginning of the program).

    As for JSP-based client invocations, just set up your JSP to require BASIC authentication. The web page will prompt you for a user name and password that will automatically map to your application server's default security realm. Once you complete a basic authentication over the web, your security context will be remembered across sessions. WLS maintains information about the connection between a browser and the server so that when subsequent HTTP requests arrive, repeat authentication does not need to occur. Other application server behave the same way as well.

  6. Actually my problem is as follows. I have a controller object which is a servelt which excecutes all commands.
    The JSP mediators and SWing mediators. Now its the servelet which will talk to all beans. If somehow I can give this controller servelt the credentials from Swing mediator I can do the basic authentication for JSP pages. How can i do that

  7. Please tell me this. If I do create an initial context using the HTTPS session by providing all the credentials from the Swing app will this imply that all subsequent InitialContext's made by that Application will automatically be Authenticated Initial Context's whether I state this or not while creating a intial context.

    Please tell me if this approach is Vaild. Since I have a swing mediator and a Web mediator would it not be possible for me to call the Login.jsp for basic authntication from a URL connection from the swing mediator.This would keep my client authenticated all the time regardless of whether its a swing one or a web one