2

I am building an android application which communicates with the web server on apache tomcat. Web server build in JAVA EE. Currently for authentication and authorization I am using username , password and for managing the session I am using tokens. So when the user logs in I will check mysql database and authenticate the user. When the user tries to do some action , based on the token the sent , I will identify the user and authorize to do that action based on the privileges given to that user. It looks bit cumbersome . I was wondering is there any standard framework which make this task easy.

  1. Is there any tomcat container level authentication and authorization possible , so the request won't reach the web application if its not authorized to do the action ?

  2. Or else Is there any framework which provides standard authentication and authorization in web application ?

Prabhuraj
  • 141
  • 3
  • 17
  • 1
    for 2: spring-security – jmj Jul 14 '14 at 02:16
  • Thanks Jigar for the response. I am new to JAVA and its an simple android application with web server , do you think its easy and worth to learn Spring framework and implement it on web server ? Sorry for bothering you. – Prabhuraj Jul 14 '14 at 02:22
  • depends on your app's timeline and maintainability – jmj Jul 14 '14 at 02:25
  • Thanks Jigar. Do you have idea about Tomcat Realms , Is it possible to do achieve using this ? – Prabhuraj Jul 14 '14 at 02:38

1 Answers1

1

Apache Shiro is what you are looking for:

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.

I used Spring security (version 3) in couples of projects, the shortcoming was the size of jars you need to deploy (it is Spring!), it's was cumbersome.

Also I have integrated Apache Shiro with magnolia-cms, as far as I can say Apache Shiro has the strength of Spring Security with the ease of use.

elsadek
  • 1,028
  • 12
  • 39
  • Hi elsadek . I need some more clarification on the Apache shiro . I used tomcat realms to configure the server to have authentication when they try to connect to it. But now its configured to pop up the login form to enter the user credentials . I am not using the server for the web application , its mobile application. Is there a way when the http request is sent to server, server to extract the username and password from the http request and authenticate ? And currently once logged in , its not asking for password. How to configure to let server authenticate for every request ? – Prabhuraj Jul 24 '14 at 06:52
  • not sure how it fits into your app; this is how I would implement your requirement: Secure a dummy url in tomcat using shiro, first time you need to authenticate a user callback that URL, once authenticated, use http requests to that URL to handle the user session – elsadek Aug 03 '14 at 19:04