Security consists of the following aspects:
- Authentication
- Resolution
- Transport Layer Security - Encryption
Authentication: - This is a verification of user credentials; in most cases, this is done through an input mechanism. Your task of creating a login page is part of authentication.
Authorization: - application resources must be protected from unauthorized access, which means that when a user requests a protected resource, the application must ensure that the user has the appropriate access rights. This is usually done by assigning roles to the user and installing query filters that check the user's access rights. This part is more important and requires a detailed design analysis. Just user authentication is not enough, you need to ensure that protected resources are not available to those users who are not authorized for them.
Transport layer security: - The system architecture must ensure that data transmitted over the network does not fall into the hands of hackers or sniffers. SSL / TSL is used to achieve this.
J2EE containers and frameworks such as Spring provide common functions for every aspect of security.
What you are trying to develop is a simple authentication mechanism. Application security requires more when it comes to access control, i.e. authorization.
In addition, security requires scalable, for example, to change the business needs for system integration and security, which your system must adapt to such things as Single Sign On (SSO), LDAP authentication, etc.
Although JAAS and container security are good enough to scale, there are a few limitations with the same. For example, you will need to depend on the specific configurations and adapters of a particular provider. Your application will declare security needs for deployment descriptors, and server administrators must configure security areas on the server.
I would recommend you evaluate the Spring Security infrastructure (formerly Acegi Security). We used the same in many of our projects and found it reliable, customizable and easy to implement. It comes with a set of filters that intercept your request and provide access control. The Framework can be used to validate users against various user repositories such as database, LADP servers, OS security, etc. It is extensible and can be integrated with SSO servers. It also provides useful taglibraries for controlling access to parts on JSP pages. Not only does this structure also provide method-level security, which can be superimposed at the class level through the Spring AOP framework