wamblee.org

Introduction

FlexibleJdbcRealm is a glassfish security realm and is deployed as an additional jar of the glassfish runtime.

Configure the datasource

To start off, a datasource must be configured for accessing the database with user and group information.

Installation of the Flexible Jdbc Realm

  • Copy the FlexibleJdbcRealm jar to the glassfish lib directory.

Configure glassfish with the realm definition

  • Add mapping of the security realm to the flexible JDBC realm login module to the login.conf of the glassfish domain you are using. For example:
                
    PhotoXChangeRealm {
            org.wamblee.glassfish.auth.FlexibleJdbcLoginModule required;
    };
              
  • Configure the security realm in glassfish.
    • In admin console, go to Configuration/Security/Realms.
    • Add a new realm and use the class name org.wamblee.glassfish.auth.FlexibleJdbcRealm as the realm class.
    • Configure the realm as follows:
      PropertyDescription
      jaas.context The name of the realm as in login.conf and web.xml.
      sql.password The sql prepared statement that returns the encoded password for a given user. The username is the single parameter of the realm.
      sql.groups The sql prepared statement which returns the groups based on the username.
      datasource.jndiThe jndi name of the datasource.
      password.digestThe digest method of the password. The value of this property is an encoding as supported by MessageDigest.getInstance(String). The special value PLAIN must be used to indicate that no encoding will be used. Use for instance MD5 for MD5 digests.
      Note: In version 0.1, the value MD5HEX was used for MD5, this must now be simply MD5
      Note: In version 0.2, the name of this property was password.encoding. In later versions, the digest method and encoding are separately configurable.
      password.encodingOptional property for the encoding of the digest result into a string. Two encoding methods are supported:
      • HEX: For hexadecimal encoding.
      • BASE64: For base64 encoding.
      If this property is not set then the value HEX is used.
      sql.seedOptional property to define the query to retrieve the seed for a given user name. This is a query in prepared statement syntax with one parameter for the user name. If this property is not defined then the empty string will be used for the seed (which is identical to no seeding).
      password.seed.formatOptional property that defined how the seed will be used together with the password. This is a string in java.text.MessageFormat format with the first parameter the password and the second parameter the seed. If this property is not set than the default format is "{0}{1}" meaning that the seed will be appended to the password.
      assign-groups Optional parameter with a comma-separated list of groups that any authenticated user is assigned to.

Configure the application with a realm definition

  • Add realm definition to web.xml login-config element (realm-name), For example:
                
        <login-config>
            <auth-method>FORM</auth-method>
            <realm-name>PhotoXChangeRealm</realm-name>
            <form-login-config>
                <form-login-page>/login.jsp</form-login-page>
                <form-error-page>/loginError.jsp</form-error-page>
            </form-login-config>
        </login-config>
              
Note: In glassfish V2 b58, <role-name>*</role-name> does not work and you should use the assign-groups property to assign any authenticated user to a specific group. That specific group should be used to represent any authenticated user instead of using <role-name>*</role-name>.