I'm developing an app whose client will be html5 + javascript (single-page-app) and the backend will be basically jax-rs + cdi + nosql (glassfish & orientdb). In this scenario, I need help defending how to authenticate users.
User data is in the orientdb database. I know I have to create an algorithm to connect to the bd and validate the credentials of the user, but for this, should I create a custom realm and a LoginModule on my own?
In an application server such as GlassFish or JBoss we could solve this using the standard security mechanisms. To do this, just create a connection pool , a JDBC realm and implement form authentication .
<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
</form>
web.xml
<login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbcRealm</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Pages</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMINS</role-name>
</auth-constraint>
</security-constraint>
That said, this authentication template may not be enough. Frameworks such as Spring Security and Apache Shiro are commonly used in Web applications to provide more complete and flexible authentication and authorization implementations.