HomeSupportForumsGeneralGeneral Discussion

How to integrate your own backend (Realm?)

Wed, 04/30/2008 - 5:37am — f_kasper

Hi
I just started to to use JSecurity and have some questions about the
integration.

I want to get jsecurity to look up users, roles from our own object database
where the information is stored in a object like this:

public class Users {  
    private String loginName;  
    private String md5Password;
    private String roles;
//or    private List roles;
}

how do I achieve this?

I have tried to implement my own Realm extending SimpleAccountRealm and
implementing doGetAccount(AuthenticationToken) but can't get JSecurity
configured to use my realm. How do i get Jsecurity configured to use my
realm. Tried to use following code:

        UserRealm aRealm = new UserRealm();
        DefaultSecurityManager  securityManager = new
DefaultWebSecurityManager();
        securityManager.setRealm( aRealm );
        securityManager.init();

I would prefere to use JSecurity internal in my business code (internal in
jboss) but can't figure out how to get JSecurity enabled,
(SecurityUtils.getSubject() return null)

alternative I have tried to use it in a web app (jsf) with the JSecurityFilter
in my webfilter extending JsecurityFilter i call the above code before
onFilterConfigSet() but can only get the default PropertyRealm to work.

Can anybody guide me in the right direction, I am properly just missing
something obviously

‹ Simple Example JSecurity vs Acegi ›
Thu, 05/01/2008 - 9:06am — lhazlewood

Re: How to integrate your own backend (Realm?)

Hi f_kasper!

Sorry for the delayed reply - yesterday was a crazy one for us.

Your questions are all really good! Here are my (hopefully useful) answers:

The SimpleAccountRealm is useful if you 1) don't want to implement the Account interface in your User class and/or 2) you want JSecurity to cache Account instances for you.

If you're using Hibernate or JPA and have a 2nd level cache enabled for either (Ehcache, etc), you are probably already caching User objects, so #2 is already taken care of by Hibernate or JPA, so you don't need the SimpleAccountRealm to do the caching for you.

As far as #1, most people find it easiest to implement the AuthorizingAccount interface in your User class. Then you can return your user objects directly from the Realm and JSecurity will use them directly. If you will implement the AuthorizingAccount interface in your user class, then it is usually just easiest to make your Realm extend the org.jsecurity.realm.AuthenticatingRealm class directly, and just implementing the the Authorization methods manually.

These methods would take the form of something like:

com.my.domain.User user = getUser(principalCollection);
return user.hasRole( roleName ); //your User class would implement hasRole by checking the Set of role names you have already set up in your domain model.

The rest of the methods would perform similar actions to fulfill the method contract. This is probably the easiest approach when you have a nice User domain model.

However, if you don't want to implement the AuthorizingAccount on your User class, that's perfectly fine, and you'll probably want to use SimpleAccountRealm. You'll just have to create Account instances representing your User objects (most of this is done already in the SimpleAccountRealm implementation - you might have to override a method or two).

----
Configuring your realm:

Now, this is a little different as we don't have native JEE/JBoss support yet, but it is really easy actually.

You'll have to subclass the JSecurityFilter, e.g. MyJSecurityFilter:

Override the onFilterConfigSet() method to instantiate a DefaultWebSecurityManager instance (since you're operating in a web environment) and inject it with your Realm(s), just as you have done in your example code block. Also override the getSecurityManager() method to return that SecurityManager instance. The reason you have to do this is that JSecurity (currently) can't make assumptions about how your Realms are configured - manual config, JNDI, EJB3, etc, so we have no way of looking up Realm objects yet. So, you'll have to inject them manually as noted above.

Then, declare your MyJSecurityFilter in web.xml instead of the existing JSecurityFilter. All other config options remain the same.

This will change prior to 1.0 - we'll have native support for JEE just like we already have support for Spring (i.e. SpringJSecurityFilter). It will probably do the Realm lookup from JNDI or allow some sort of EJB3 annotation.

Please feel free to ask any more questions.

Regards,

Les