4 Replies Latest reply on Dec 20, 2011 3:32 PM by 376398

    Web Application Security - User authentication and registration

      I am trying to develop a very simple web app with following feature
      1. Users should be able to register (sign-up) with the application, i.e backed code will create new user account when new users sign up.
      2. Once the user account is created, they should be able to log in.

      I was reading Java Security section in Java EE tutorial. To use any of Java EE security, the recommended way is to have security-constraint in web.xml specifying roles that have access to application. The roles are then mapped to the users that are created in the application server. The problem here is that the users cannot be created at deployment time. Users are created at run-time as new people sign up using the registration form. So, how can user be created with the application server before deploying the application?

      It seems very odd to be that application users are defined at the app-server level. Eg, Ebay/Amazon has millions of users. Are all those users defined at the application server where their app is deployed?

      If JavaEE security cannot support this simple usecase, what is the point of having security-constraint and all the other security features?