I'm exploring pure Java EE ways of doing programmatic security, especially login users, based on the jdbc realm from my glassfish server.

So basically, in my login servlet I'm doing

String username = request.getParameter("username");
String password = request.getParameter("password");

try {
    request.login(username, password);
....

Without doing anything in my web.xml, the default realm (file) is used. I don't want that, I want to use my jdbcRealm named jdbcsecurerealm.

So I'm adding the following to my web.xml

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>jdbcsecurerealm</realm-name>
</login-config>

Note that I don't add any form-login-config to define form-login-page and form-error-page.

Then if I define security constraints such as

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Admin Pages</web-resource-name>
        <description></description>
        <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>administrator</role-name>
    </auth-constraint>
</security-constraint>

well... it works ! The request.login checks against my jdbcRealm and if I try to access secured pages without being logged in then I'm getting a nice 403.

But it seems that I'm mixing declarative security and programmatic security, because I feel that I shouldn't be declaring anything inside web.xml but rather be using request.isUserInRole.

Question:

Am I hitting a glassfish specific behaviour, or is it allowed to use programmatic security (request.login) with a jdbc realm defined inside web.xml without form-login-config ?

Update I've just seen that there is a possibility to specify a realm inside glassfish-application.xml, is it a better approach to build an ear instead of a war in order to specify the realm ?

A purely programmatic approach in a portable (pure Java EE) way is not possible when you use container specific (proprietary) login modules such as the GlassFish JDBC login module/realm.

There is an API in Java EE 6 for this: JASPIC. With that API (SPI technically), you can build portable authentication modules AND configure them fully programmatic without the need for any declaration.

I wrote a blog article about this that hopefully provides you with some more details.

Well, there are two aspects to security in web applications : Authentication and Authorization. What you are using here is programmatic authentication (the way users are logging in) and declarative authorization (defining what users are allowed to see). There is no issue in mixing both, in my opinion.

If you keep your realm in your web.xml, your application will be more portable. (meaning you can deploy your war in e.g. a tomcat server without changes).