users@glassfish.java.net

HTTP Basic Auth using imported usernames/passwords

From: <glassfish_at_javadesktop.org>
Date: Fri, 27 Jun 2008 10:23:14 PDT

We are using Glassfish for an API and everything works great. Now we want to add a second API, but it needs to be secure. We want to use HTTP Basic Authentication where the username and password are sent in HTTP headers, and the whole thing is encrypted with HTTPS.

Our users already have usernames and passwords for a different application, so we'd like to import those. We don't want them to have to remember a new username and password for the API.

The usernames and passwords are stored in a database. We'd like to write a program to sync with this database a couple of times a day, so if the username and password changes there, the same change will take place for our API (after a few hours). I'm expecting maybe 1000 usernames and passwords.

So I've been doing research into Glassfish security. It seems like I can make the servlet secure by adding lines to the deployment descriptor. I can set it up so the usernames and passwords are validated against Glassfish's "file user" database.

I see that there are asadmin command-line tools for altering this user database: create-file-user, delete-file-user, update-file-user, etc.

I tried these commands to create a user for my domain. The docs say that the username and password are stored in the domain in the config/keyfile file. But after adding a user, this file didn't change.

Where are the file usernames and passwords stored? Can I simply rewrite the file where they are stored, or do I have to use asadmin to alter the file? Or is there a library I can use from Java to change the usernames and passwords?

Or am I completely off track here?
[Message sent by forum member 'ppantera' (ppantera)]

http://forums.java.net/jive/thread.jspa?messageID=283014