Authentication is the process of determining and verifying the identity of someone or something. In multi-user applications, the process of authentication for an application is needed to get knowledge about the person that is currently using the application. The widely used process for authentication is a login process during which the user is asked for his username and password. A user that knows one of this username/password-tuples is assumend to be the person belonging to that username. Besides username/password authentication there are other methods like public-key-authentication with a digital certificate, to name just one.

Authentication in JPA Security

JPA Security uses an implementation of the net.sf.jpasecurity.configuration.SecurityContext interface to be aware of the currently authenticated user and other related information (like its roles, tenant, ...) at runtime.

Default-Configuration for Authentication

By default JPA Security will try to auto-detect your security context. This is done via the indirection of an authentication provider. An authentication provider provides access to the current authenticated user and its roles. The detection follows the following rules (The first matching rule is taken):

  1. When spring-security is in the classpath, the SpringAuthenticationProvider is used.
  2. When java:comp/EJBContext is available in the JNDI-context, the EjbAuthenticationProvider is used.
  3. When JSF is available in the classpath, the JsfAuthenticationProvider is used.
  4. Otherwise the DefaultAuthenticationProvider is used.

Customizing Authentication

When the described auto-detection strategy does not work for your environment, you may specify the class name of any implementation of the net.sf.jpasecurity.configuration.SecurityContext interface as value of the persistence-property in your persistence.xml. To provide backward compatibility to JPA Security 0.3 is also valid, if you specify a class name of an implementation of the net.sf.jpasecurity.configuration.AuthenticationProvider interface, but any specification of the property will take precedence.