Security Java EE 7 in WildFly vs. Spring Security

Question

Can you explain me how to implement authentication and authorization in Java EE 7 using WildFly server?

Spring Security requires you do provide a database model http://springinpractice.com/2010/07/06/spring-security-database-schemas-for-mysql

In Spring Security I can use taglibs http://docs.spring.io/spring-security/site/docs/3.0.x/reference/taglibs.html

So I don't understand how to do this in Java EE ? I would like to use JSF + EJB 3.2 ... JPA - Hibernate ..

WildFly:

Instead of specifying fixed tables and columns for users and groups, I can actually specify a SQL query that finds in the database what the security domain needs to authenticate and to authorize users.

<security-domain name="app" cache-type="default">
      <authentication>
        <login-module code="Database" flag="required">
          <module-option name="dsJndiName" value="java:jboss/datasources/AppDS"/>
          <module-option name="principalsQuery" value="select password from authentication where username=?"/>
          <module-option name="rolesQuery" value="select group_name, 'Roles' from user_group ug inner join authentication a on ug.user_id = a.user_account where a.username = ?"/>
          <module-option name="hashAlgorithm" value="SHA-256"/>
          <module-option name="hashEncoding" value="BASE64"/>
          <module-option name="unauthenticatedIdentity" value="guest"/>
        </login-module>
        <login-module code="RoleMapping" flag="required">
          <module-option name="rolesProperties" value="file:${jboss.server.config.dir}/app.properties"/>
          <module-option name="replaceRole" value="false"/>
        </login-module>
      </authentication>
    </security-domain>

So now I can't understand. This means that I do not need specify database schema for example entity like a Person which implement suitable interface? How can I use security annotation in my application?

I think Spring Security is the best choice to secure app, and its security policy is transferable, because it does not depend on the application server.

Can you give me example how can I secure my application ?

I am using:

EJB 3.1
JSF 2.2
WildFly 8.2

I want a solution to be flexible.

I have entity Person and Roles ...

The question is to broad for a single answer. There are lots choices that can be made. Look at [Arjan Tijms weblog](http://arjan-tijms.omnifaces.org/2012/11/implementing-container-authentication.html) for some great posts about securing Java EE and the [WildFly examples](https://github.com/javaee-samples/javaee7-samples) from Aron Gupta on JACC and JASPIC. — Martijn Burger, Feb 17 '15 at 22:01
I saw this before. Ok Spring Security will be the best choice — KamilJ, Feb 18 '15 at 11:30
@MartijnBurger thanks for pointing to JASPIC. In the examples and in the blog I show how to implement these things using Java EE standard technologies. It does what OP asks for (flexible, "transferable"), but unfortunately it's a rather low level API and Java EE itself only offers the API, not any ready to use or base auth modules. So I can somewhat understand the OP. On the other hand, judging from the tone it also looks like the choice for Spring Security was already made and perhaps OP just hoped to get confirmation here for that choice? — Arjan Tijms, Feb 22 '15 at 20:57

Security Java EE 7 in WildFly vs. Spring Security

0 Answers0