Java EE authentication and authorization [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance. Closed 11 years ago.

I am creating a website using Java EE.

I have created a table in a PostgreSQL database for the user data(username, password, role). I want to make a security realm or something like that in which to put so开发者_StackOverflow社区me of the servlets. If a user sends a request to one of the servlets in the security realm and is not loged in, I want to redirect them to the login page.

The problem that I am having is that I don't know how to verify if the user is loged in or not when the request is received on the server. Should I use a session id or cookie? I've also searched a lot on form based authentication but I haven't found a way to compare the received data with the data stored in my database.

---

I highly recommend using a framework to do this, as opposed to rolling your own. Security is a tricky thing to get right and you're going to end up rewriting a bunch of the code that is already in existence. I have been recommending the excellent Shiro framework for awhile now, but in your case I believe Spring Security would be a better fit. Take a look at their tutorials and then download the sample application. All told it shouldn't take you more than a day to stand up and become familiar with the basics.

Good luck.