tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Horowitz <rhorow...@ni4u.com>
Subject Re: How to setup login based security?
Date Tue, 30 May 2000 17:58:42 GMT
Another idea you may want to try is to put functionality like this in a
global utilities object.  We did that on a previous servlet project, and
used static methods to perform various utility functions. 
Alternatively, you could create a singleton and use non-static methods. 
Just make method calls from the servlet and pass the servlet request and
response objects.  Of course, calling these utility methods from JSPs
requires additional work - custom tag library, probably.  Hope this
helps.

Rick Horowitz

Christoph Kulla wrote:
> 
> Hi,
> 
> your idea is very straightforward. But my situation is, that I have a couple
> of servlets which I cannot change. So the subclassing is not possible.
> Furthermore I don't see the need to write a wrapper servlet for each servlet
> wich adds security support. It would be much easier with servlet chaining or a
> special RequestDisatcher.
> 
> Alistair Hopkins wrote:
> >
> > Why not write an abstract servlet which checks this
> >
> > <code>
> > public abstract class SecureServlet
> > extends HttpServlet
> > </code>
> >
> > where the service method checks the session before calling the normal
> > service methods
> >
> > <code>
> > HttpSession hs = request.getSession(false);
> > if ( hs == null )
> >   {
> >              tell them to log in here
> >   } else
> > {
> >          super(service);
> > }
> > </code>.
> >
> > you can then handle URL hacks/timeouts/etc centrally, and make new secure
> > servlets by extending the SecureServlet
> >
> > <code>
> > public abstract class WhicheverServlet
> > extends SecureServlet
> > </code>
> >
> > i'm doing something like this, but also managing DenialofService
> > prevention, db connection pools, etc from the abstract servlet.
> >
> > Also means that as there is no chaining, etc, etc, then it will work as is
> > on any servlet engine and won't fall foul of changing specs.
> >
> > At 04:10 PM 5/30/00 +0200, you wrote:
> > >Hi,
> > >
> > >my webapplication starts with a form based user login. A database lookup is
> > >made to check if there is a user account. When the login is successfull an
> > >user object is inserted in the current session data. All other servlets of my
> > >webapp should check if these user object exists and if not redirect the
> > >request to the login form.
> > >
> > >My idea is to implement a check servlet (or a simple class) which
> > >checks every request to my webapp before the requested servlet is called.
> > >Is this possible with tomcat or is there any other way to secure my webapp.
> > >
> > >Regards,
> > >
> > >         Christoph
> > >--
> >
> 
> --------------------------------------------------------------------------
> To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commmands, email: tomcat-user-help@jakarta.apache.org

Mime
View raw message