Is there any thrid party libraries that could help to ease implementation of the login module in server side

Question

Currently, we are thinking to add a login module for our website (which previously can be used by all, no need to login). I think that we need to have a user table to store id and password, a password cryptography API to encrypt the password then store into the table. A server side validation to validate if the id/password is match. And code to maintain the login information in the session (which is the difficult part I think).

I don't have experience before in implementing the server side login module. So I wonder if there is some third party library or API that can be used to ease the implementation. I am using tomcat as the web server, so Java libraries are preferred.

Or if someone have experience in implementing it, could you give me some advice.

Thank you all.

Answer 1

I think you are looking for a Security Framework.

A Security Framework is a comprehensive solution to authentication, authorization and session management.

Take a look into Shiro vs. Spring Security.

Personally, I feel that Apache Shiro is simpler to use. Here's a simple tutorial.

Answer 2

You should be looking first and foremost at Container Managed Authentication. It's all done for you, you just have to fit into the rules.

And you must hash the password, not encrypt it, otherwise you lose all sorts of desirable security properties, including most importantly non-repudiation, which has major legal consequences.

Answer 3

Suprised to see that Shiro engages the Dont Control Flow with Exceptions antipattern.

Another option is Seam. It provides much of this functionality with dependency injection.