Is there is some kind of "j2ee compliant" way of doing user authentication and role-assignment - are there any standards one is supposed to use?

Ted Husted

The J2EE recommendation for this is to use container-managed security (i.e. the <security-constraint> elements defined in web.xml) for user authentication and access control. Doing so means that the container is taking care of these issues for you, and (perhaps more importantly) that user identities are shared between the web layer and the EJB layer, because the server will be using the same underlying "database" of users and roles.

The only downside to this approach is that there is not yet a standardized API for portably accessing and maintaining a "database" of users and roles ("database" is in quotes because the actual implementation could be anything, including static text files or directory servers).

Instead, most servers provide a server-specific API to do this kind of thing. For example, in Tomcat you can implement an API called a Realm that talks to your existing database of users, and then tell Tomcat to use this Realm implementation for user authentication. In that way, new users added to the database (by whatever means) become instantly authorized for web use also. If you were to switch to a different engine, you would need to re-implement this function according to the APIs provided by the new server, but you would not need to update your applications.