A naive method for web based authentication is the use of a session variable check on every security-restricted page. If the user is not the authenticated, he or she is then redirected to a login page. This works, but it’s quite inelegant.

A better solution is the use of the J2EE form-based authentication mechanism, which moves authentication logic from the web application to the application server itself. A common scenario involves a password restricted folder, authenticated via a database store which contains usernames, passwords, and role information.

In this example, we illustrate the use of the JDBCAuthenticator provided by Resin in conjunction with the jTDS Microsoft SQL Server driver to pull data from the backend. The first step is to add a database pool to resin.conf:

<database>
  <jndi-name>jdbc/db-pool</jndi-name>
  <driver>
 <type>net.sourceforge.jtds.jdbc.Driver</type>
    <url>jdbc:jtds:sqlserver://serveraddr:1433;
       DatabaseName=dbName</url>
    <user>username</user>
    <password>password</password>
  </driver>
</database>

The database pool manages and provides all connections to a database. The jndi-name is relative to java:comp/env, and I’ve chosen the name that I have because it’s the default pool-name used by the JDBCAuthenticator later on. Next, we specify a security constraint:

<security-constraint url-pattern='/users-only/*'
   role-name='user'/>

This, and all future changes are made to the web.xml file for your project. Basically, all this says is that only users who successfully authenticate under the user role can access pages in the users-only directory. If a user tries to access page in this directory, and is not authenticated, then he or she is taken to the login page:

<login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/login.jsp</form-login-page>
  <form-error-page>/fail_login.html</form-error-page>
  </form-login-config>
</login-config>

The login.jsp form is not much more difficult:

<form action="j_security_check" method="POST">
  <input name="j_username">
  <input name="j_password">
  <input type="submit" />
</form>

The form action must be named j_security_check, and the fields must be named j_username and j_password.

Simple enough. The final step is to tell login-config how exactly it should validate a user. You can use any authenticate mechanism you like, and you can even write your own. We of course, are using the Resin built-in JDBCAuthenticator:

<authenticator
  type='com.caucho.server.security.JdbcAuthenticator'>

<init>
  <password-query>
  SELECT password FROM TBL_USERS WHERE username=?
  </password-query>
  <cookie-auth-query>
  SELECT username FROM TBL_USERS WHERE cookie=?
  </cookie-auth-query>
  <cookie-auth-update>
  UPDATE TBL_USERS SET cookie=? WHERE username=?
  </cookie-auth-update>
  <password-digest>none</password-digest>
</init>

</authenticator>

Since our authenticator is actually a database, we specify the proper query which returns the password we’re checking against. The username is automatically filled in through the use of the ? substitution operator. Cookies are used to maintain the user session throughout the application context, and these are stored in the database as well. The default password encryption mechanism is md5-base64. If set to none, the password is stored in the database in plain-text.

You can now authenticate users for your web application easily and without any messy session checking. I wrote this article because I had a lot of trouble finding coherent documentation on how to complete this single task end to end.