Develop Reference

Custom Security mechanism in Java EE 6/7 application

I would like to create (implement by my own) authentication mechanism which will be
plugged into my Java EE application.
As far as I know I have to implement LoginModule and connect this implementation with
container mechanisms somehow. But the problem is that I don't know how to do it.
Maybe You know where I can find sample code or tutorial about it?
In other words I would like to force container to call my classes whenever methods:
authenticate, login, and logout are called.
Sample implementation:
HttpServletRequest.login method will successfully authenticate only users with even numer of letters in login.

I believe the container independent way of doing this is to use JASPIC (JSR 196). Unfortunately it doesn't appear simple, robust, or particularly well documented. Here is a reference: http://arjan-tijms.blogspot.com/2012/11/implementing-container-authentication.html.

After reading about JAAS, you should implement your login module basing on org.jboss.security.auth.spi.AbstractServerLoginModule (from org.picketbox/picketbox maven artifact). Then deploy the module with your app, and create a proper security domain and realm in WildFly's standalone.xml, like such:
<security-domain name="myDomain" cache-type="default">
<authentication>
<login-module code="com.example.TestLoginModule" flag="required"
module="deployment.sample.jar"/>
</authentication>
</security-domain>
...
<security-realm name="MyRealm">
<authentication>
<jaas name="myDomain"/>
</authentication>
</security-realm>
Look out for different behaviour on different JBoss AS versions. 7.1.1 will not allow you to deploy the login module, you would have to create a separate jboss module and bind it with org.picketbox and jboss.security modules.
Additional reading:
https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration
https://docs.jboss.org/author/display/WFLY8/Security+Realms
http://java.dzone.com/articles/creating-custom-login-modules (it is a little outdated, but the gives the main idea)

You should research JAAS.
Wikipedia gives a good overview:
http://en.m.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service
This will provide all the info and tutorials you need:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/
Tutorial with sample app:
http://download.java.net/jdk8/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html
And check this out in SO:
JAAS for human beings

Using LDAP with HornetQ

HornetQs default SecurityManager (HornetQSecurityManagerImpl) will check users/roles that are stored in the hornetq-users.xml. I want use LDAP for authenticating users; I have two ways:
Using Jass, and use it with LDAP for authenticating users.
Implementing SecurityManager interface manualy, and using LDAP in my own security manager implementation.
Which one is better? Other approaches? What should i do? (experience, sample)

I'd say it's always better to use something that's ready and tested. Using JAAS with Ldap will give you an easier path as that should work nicely.
On the hornetq's distribution there's an example showing how to configure JAAS. You can just get the distribution zip at http://www.jboss.org/hornetq/downloads.html and refer the the examples that are part of hornetq already.

How do I specify which security domain to use for my web application in JBoss AS7?

I'm using JBoss AS7 + JSF 2.1
I'm trying to use a Database login module to authenticate users on a specific resource in my web application. In standalone.xml there are 3 security domains: "other", "jboss-web-policy" and "jboss-ejb-policy".
Should I put my database login module in the "other" security domain?
Or I should define a new custom security domain and put my database login module in it?
Either way, how will I tell JBoss which security-domain/login module it should use for my application?
Thanks in advance.

The two options you mention would be valid, but from my point of view it's better to create a new security domain for your applications (it's more clear).
On the other hand, answering your second question, you've to specify the security domain for your application inside the application meta files (not in jboss, but in your application).
In case you've a war file you've to set it in the file WEB-INF/jboss-web.xml, it would look something similar to:
<jboss-web>
<security-domain>java:/jaas/your-domain</security-domain>
</jboss-web>
On the other hand, if you've an ejb-jar module, the file META-INF/jboss.xml would look like:
<jboss>
<security-domain>java:/jaas/your-domain</security-domain>
</jboss>
And if you've an ear file, the file META-INF/jboss-app.xml would look something similar to:
<jboss-app>
<security-domain>java:/jaas/your-domain</security-domain>
</jboss-app>

spring security 3 authentication method

I'm new at Spring Security. I've read the docs and I have two questions, in order to integrate it in my webapp:
(1) I use Hibernate. Is it better to config the authentication customizing the authentication provider by implementing the UserDetailsService, accessing the Dao?
Or is it better to config it with a JDBC-user-service referencing the database connection and specifying the querys on the user and user_roles tables?
I think using Hibernate Dao is more difficult, but it would be a more database independent solution, isn't it?
(2) In either of both cases above (Hibernate vs JDBC), do I have to implement in the presentation layer the methods to login and logout? Or Spring Security framework dooes it automatically for me? I know I can use the UserDetails to know the info about the current user logged in, in order to use it in the views, for example to show or not the links for login/logout depending on wether the user is logged in or not. But what about the methods?
Any help would be appreciate. Thank you very much in advanced.

As far as I understand, implementing the UserDetailsService is more for user customization . If you can get the data by a straightforward query, use JDBC-user-service .
You do not need to implement the methods . Spring will take care of login and logout depending on your configuration. For clogoff ,you could wrap the link with 'j_spring_security_logout'
<c:url value="/j_spring_security_logout"/>">
Check the form-login element for more info . A sample is as below.
<form-login login-page="/login.jsp"
default-target-url="/welcome.jsp"
always-use-default-target="true"
authentication-failure-url="/login.jsp?error=true" />

Tomcat 7.11 JDBCRealm and UserDatabaseRealm dont work together

I'm trying to set a container managerd security a realm for my web app (JSF 2.1 + hibernate). I have noticed that Tomcat 7 can only use one type of realm at a time.
To use Tomcat in netbeans (7.0) i have to create an accout of manager-script role. In addition to work with Tomcat manager I also need another role. This is a big problem for me because the tables I'm using for JDBCRealm are viewes from actual tables that store users and roles and I would like not to store both of the roles in the same db that my program uses.
Is there a way to make JDBCRealm and UserDBRealm work together? That would be a relief.
here is the code from server.config:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://localhost:3306/realm?user=login&password=pass"
userTable="users"
userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles"
roleNameCol="role_name" />
tomcat uses only the last one he finds in the file. They work fine separetly

Use a CombinedRealm (doc, javadoc):
Realm implementation that contains one or more realms. Authentication
is attempted for each realm in the order they were configured. If any
realm authenticates the user then the authentication succeeds. When
combining realms usernames should be unique across all combined
realms.
Maybe you are already using the LockOutRealm (doc, javadoc) which is a subclass of CombinedRealm and it's in the default config of Tomcat.