First thing, I'd look at whether you can use another authentication system like Google or Facebook, or Open ID (StackOverflow uses these and more).
Secondly, I'd look into using a security framework like Spring Security.
Finally, if you want/need to do it on your own from scratch, here are some pointers
- Always store passwords using a 1-way hashing mechanism e.g. SHA
- Use salt when hashing your password - you should have a random salt value per password (see this SO question for it's length)
- You can also have a constant application-wide salt value that is not stored next to the password
- Give the users roles. This will solve your front end/back end users problem
I'm assuming you're using a database. Here's an example schema (MySQL)
CREATE TABLE users (
id INTEGER UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT
mail VARCHAR(255) NOT NULL,
name VARCHAR(255) NOT NULL,
enc_password VARCHARCHAR(64) NOT NULL,
salt CHAR(8) NOT NULL,
is_mail_authenticated TINYINT(1) UNSIGNED NOT NULL DEFAULT 0,
UNIQUE KEY (mail)
) ENGINE = InnoDB;
CREATE TABLE roles (
id INTEGER UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT
name VARCHAR(32) NOT NULL,
UNIQUE KEY (name)
) ENGINE = InnoDB;
CREATE TABLE users_roles (
user_id NTEGER UNSIGNED NOT NULL,
role_id NTEGER UNSIGNED NOT NULL,
FOREIGN KEY (user_id) REFERENCES users (id),
FOREIGN KEY (roel_id) REFERENCES roles (id),
) ENGINE = InnoDB;
That'll do it for a very basic user model. You'll need a tool to generate your salt. I'd use randomAlphanumeric from Apache commons lang.
You may want to add some stuff to lock user accounts after too many failed login attempts. And you may want to track the IP with which they've logged in from. This is left as an exercise to the reader :)
I added the is_mail_authenticated field to track whether the user had authenticated their mail. This is usually accomplished by clicking a link from one's email.