SecurityFilter is a Java Servlet Filter that mimics container managed security. It looks just like container managed security to your app, as you can call request.getRemoteUser(), request.isUserInRole(), and request.getUserPrincipal() and get valid responses. The Security Filter configuration file follows the web.xml standard, which makes it easy to switch to Security Filter from container managed security, or switch back as your requirements or deployment environment details change.
SecurityFilter is intended for use by Java web application developers. It provides robust security and automatic authentication services for web applications. It has several important advantages over container managed security that make it an ideal solution for single-context, public web sites, or when it is necessary or simply desirable to avoid the server configuration hassles and portability issues associated with container managed security.
Advantages of SecurityFilter over Container Managed Security:
Security Filter is intended to be packaged within your web app, including your realm implementation and supporting classes. This allows you to deploy your app as a single, deployable unit (war file or expanded war directory structure) with no additional configuration of the server environment. This is in contrast to container managed security in which the realm must be added to the server's classpath (including any supporting classes) and configured in the server.
Security Filter supports "unsolicited" login requests, and will send the user to a destination you have configured upon successful authentication. This allows you to have a login form on every page, or simply link directly to your login form to authenticate users. With container managed security, the container will not process login requests unless the container itself has initiated the authentication sequence (i.e. sent the user to the login form) in response to a request for a protected resource, which makes it impossible to have a login form on every page and complicates implementation of a link to the login form.
Each server has its own realm interface, so your realm implementation will not be portable across different servers. Security Filter has a small, simple realm interface that is portable across different servers (because it is proprietary to Security Filter rather than the server implementation). Security Filter also supports adapter classes to adapt a proprietary realm implementation from any server to the Security Filter realm interface, which will get you up and running quickly and makes your realm portable across different server implementations. A Tomcat/Catalina realm adapter is included in the package now, adapters for other realm implementations are planned, and it is easy to implement your own adapter by following the Catalina realm adapter as an example.
Current Requirements & Limitations of SecurityFilter:
SecirityFilter requires a Servlet 2.3 compliant server environment. This includes Tomcat 4+, WebLogic 6.1+, and many other servers. Consult your server documentation to check for Servlet 2.3 support.
SecurityFilter only supports FORM (FORM authentication is supported in all release versions of SecurityFilter) and BASIC (not quite yet -- BASIC authentication will be supported in an upcoming 1.1 release) authentication. These are the most popular types of login configurations as they support an application-specific login form page and the pop-up window for login.
<user-data-constraint> elements are allowed in the SecurityFilter configuration file, but they are not currently supported. <user-data-constraint> elements are used to indicate what web resources are to be accessed only via HTTPS. Support for these constraints is expected to be available soon.
When SecurityFilter is used, a user's Principal will not automatically be propagated to EJB calls. If this is a requirement for your application, you may not be able to use SecurityFilter.
Single Sign-On among several web application contexts is not currently supported. We are investigating possible solutions for this configuration.