I am trying to develop a very simple web app with following feature
1. Users should be able to register (sign-up) with the application, i.e backed code will create new user account when new users sign up.
2. Once the user account is created, they should be able to log in.
I was reading Java Security section in Java EE tutorial. To use any of Java EE security, the recommended way is to have security-constraint in web.xml specifying roles that have access to application. The roles are then mapped to the users that are created in the application server. The problem here is that the users cannot be created at deployment time. Users are created at run-time as new people sign up using the registration form. So, how can user be created with the application server before deploying the application?
It seems very odd to be that application users are defined at the app-server level. Eg, Ebay/Amazon has millions of users. Are all those users defined at the application server where their app is deployed?
If JavaEE security cannot support this simple usecase, what is the point of having security-constraint and all the other security features?
As per your comment you want to use J2EE/JAAS security for existing user and want sign in feature. You can do it by providing link on log in screen. Please create sign up page and unprotected resource in web.xml. Once user fill sign in details you can store his detail in your authorization repository ( LDAP / Database ) and then either redirect request to login page or submit to your authorization scheme directly.
Current Java EE specification does provide a standard way of manager user/group. For user/group management there are several options.
1. SPML clients.
2. OID/AD/LDAP/ or other LDAP proprietary APIs
3. OPSS's IGF API
4. An IDM Provisioning system (e,g. OIM)