tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Kulla <ku...@metabox.de>
Subject Re: How to setup login based security?
Date Tue, 30 May 2000 17:34:04 GMT
Hi,

your idea is very straightforward. But my situation is, that I have a couple
of servlets which I cannot change. So the subclassing is not possible.
Furthermore I don't see the need to write a wrapper servlet for each servlet
wich adds security support. It would be much easier with servlet chaining or a
special RequestDisatcher.

Alistair Hopkins wrote:
> 
> Why not write an abstract servlet which checks this
> 
> <code>
> public abstract class SecureServlet
> extends HttpServlet
> </code>
> 
> where the service method checks the session before calling the normal
> service methods
> 
> <code>
> HttpSession hs = request.getSession(false);
> if ( hs == null )
>   {
>              tell them to log in here
>   } else
> {
>          super(service);
> }
> </code>.
> 
> you can then handle URL hacks/timeouts/etc centrally, and make new secure
> servlets by extending the SecureServlet
> 
> <code>
> public abstract class WhicheverServlet
> extends SecureServlet
> </code>
> 
> i'm doing something like this, but also managing DenialofService
> prevention, db connection pools, etc from the abstract servlet.
> 
> Also means that as there is no chaining, etc, etc, then it will work as is
> on any servlet engine and won't fall foul of changing specs.
> 
> At 04:10 PM 5/30/00 +0200, you wrote:
> >Hi,
> >
> >my webapplication starts with a form based user login. A database lookup is
> >made to check if there is a user account. When the login is successfull an
> >user object is inserted in the current session data. All other servlets of my
> >webapp should check if these user object exists and if not redirect the
> >request to the login form.
> >
> >My idea is to implement a check servlet (or a simple class) which
> >checks every request to my webapp before the requested servlet is called.
> >Is this possible with tomcat or is there any other way to secure my webapp.
> >
> >Regards,
> >
> >         Christoph
> >--
>

Mime
View raw message