cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dave sag <dave....@portablewhole.com>
Subject Re: login concept
Date Fri, 23 Jun 2000 08:50:13 GMT
At 3:23 pm +0100 22/6/00, Yann wrote:
> > But isn't that just a class you have written... where
>> is the bean specific?!
>
>It is just a class indeed. I guess the term bean was used because in an
>ideal world, the Java classes you use as Business Objects should be EJB.

only if you are stuck using corba to drag common sense out of legacy systems.  use beans for
sure though cos the beans api offers all sorts of handy widgets for looking into the bean.
 combine that with some canny logic sheets and you can pretty much auto generate CRUD interfaces
for your objects.

beans != EJB.

>
>> BTW: Where do you define user and password for db access
>
>There are passed as session variables. Since I pass the session object to
>the Access object, the Access object can lookup in a DB to check whether
>these variables (username/password) are into a table.

better to just run a isAuthenticated() method as part of a userAuthenticationBean. 

i don't think anyone will mind me posting this snippet of source code from our userAuthenticationBean.
 note the use of a connector object to abstract the 'how' away.  The criticalJavaspace exception
is one of ours, not a Jini class so don't be concerned by that.  we will probably rewrite
this again soon to complete the abstraction away from Jini specific code.  but the logical
flow here is what you need.  once you have such a bean you write a small logicsheet to associate
an XSP tag to the method and bob's your uncle.

	public boolean isLoginAuthenticated()
	{
		
		// Create an empty null membered User object and set username as template
		
		User templateuser = new User();
		templateuser.setUsername(mLoginUsername);
		
		User tempuser;
				
		try {
			tempuser = (User) mConnector.readAndCheck(templateuser, 20000);
		}
		catch (CriticalJavaspaceException e) {
			mAuthError = e.getMessage();
			return(false);
		}
		
		if (tempuser == null) {
			mAuthError = "No such user found";
			return(false);
		}
		else {
		
			// Check password validity. If it passes, then assign the
			// temp user to the authd user
			
			if (tempuser.verifyLoginPassword(mLoginPassword) == true) {
				mAuthError = null;
				
				mAuthenticatedUser = tempuser;
				return(true);
			}
			else {
				mAuthError = "Incorrect Login Password";

				mAuthenticatedUser = null;
				return(false);

			}
		
		}	
		
	}


>
>Please bear in mind that there are tricks I used on my first Cocoon project
>which is Internal where security is not such a big issue. I would be more
>cautious in a internet environment. For instance, I don't know whether
>storing a password into a session variable is a good thing.

it isn't.  you should keep the password as a private property of your user object. then have
a method which determines if a password supplied is the user's password. that way you never
have to expose the password.

hope that was some help.

cheers

dave

-- 


----------------------------------------------------------
Dave Sag                            CEO Portable Whole Ltd
dave@portablewhole.com        http://www.portablewhole.com

  "Software Development will soon be an Agri-business.
   Why write it when you can farm it."

  Latest: http://www.davesag.com/motp
  It's a whole new world in there. (req netscape or IE 4+)

----------------------------------------------------------

Mime
View raw message