different ways of logging in a user in a Java EE 6 web app

I am wondering what all options or ways do we have in a Java EE 6 web app, to log in users? With this I mean, saving their data (id, username, ...) while they are using the app.

I know this data is stored in a session while thy are using the site, sometimes in cookies or even the URL.

But what I would like to know is:

• What is the most common approach in a Java EE 6?
• What would be the mo开发者_Python百科st recommendable way?
• What do you practice and what do you prefer?
• What other options do we have?
• What would be the safest?

What would be the most recommendable way?

On Java EE 6, that would (in my opinion) be using container managed security with a Realm pointing to a SQL database.

What do you practice and what do you preffer?

Before Java EE 6, I used to prefer a homegrown login mechanism because I'd like to have full control over the login. Most containers namely doesn't allow filtering j_security_check requests. Since Java EE 6 it's possible to do a programmatic login with the new HttpServletRequest#login() method, so that disadvantage has gone.

What other options do we have?

Well, I already mentioned two major ways. Apart from some frameworks like Spring Security, there are not really other options. The container managed security in turn offers several ways to do the login such as HTTP BASIC authentication (which just shows a browser-builtin JavaScript-like login popup), form based authentication (using a HTML form submitting to j_security_check) and the new programmatic login.

What would be the safest?

All are equally safe. The safefy in practice depends on your own code and configuration settigns.

try to use some framework, like spring (spring mvc will automatically inject the session data which include log in info).