I'm currently working on a web application based on Java EE 7, PostgreSQL and the application server GlassFish 4. I need to implement a form based authentication, and to secure some URL knowing that :
- the users and the roles/groups (whatever they are called) are stored in the database.
- I wanted my application to be as "standard" as possible (i.e I am currently using JSF and JPA, and no other framework like spring, struts ...)
After some research, I found that Java EE provided a standard authentication mechanism called JASPIC. So, I focused my research on JASPIC and I read multiple Stackoverflow Q/A and those articles written by Arjan Tijms (It's almost impossible to find a Stackoverflow Q/A related to Java EE without one of his answers or comments, thanks to him by the way) :
- http://arjan-tijms.blogspot.fr/2012/11/implementing-container-authentication.html
- http://arjan-tijms.blogspot.fr/2013/04/whats-new-in-java-ee-7s-authentication.html
- http://arjan-tijms.blogspot.fr/2014/03/implementing-container-authorization-in.html
My question is : will JASPIC allow me to do what I need (form authentication + URL restriction with roles) and is it worth the effort to use it ? What I mean is : it's perhaps safer and easier to use another mechanism.
Arjan Tijms also says that whether or not using JASPIC is "a kind of chicken-and-egg problem" and if JASPIC is safe to use (It doesn't create more problems than it solves), no matter the amount of code I need to write, I really want to be "one of the first chickens".