tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alistair Hopkins <alist...@berthengron.co.uk>
Subject Re: How to setup login based security?
Date Tue, 30 May 2000 15:01:10 GMT
request.getSession() returns a new or existing session
request.getSession(false) prevents this, and will only return an existing one

it works fine for me.


At 11:51 AM 5/30/00 -0400, you wrote:
>this wont work...
>
>request.getSession(false) never returns null on tomcat
>
>returns a session even on the first request with tomcat.  Or is there a
>setting that enforces this?
>
>rick
>
>----------
> >From: Alistair Hopkins <alistair@berthengron.co.uk>
> >To: tomcat-user@jakarta.apache.org
> >Subject: Re: How to setup login based security?
> >Date: Tue, May 30, 2000, 10:46 AM
> >
>
> > Why not write an abstract servlet which checks this
> >
> > <code>
> > public abstract class SecureServlet
> > extends HttpServlet
> > </code>
> >
> > where the service method checks the session before calling the normal
> > service methods
> >
> > <code>
> > HttpSession hs = request.getSession(false);
> > if ( hs == null )
> >   {
> >              tell them to log in here
> >   } else
> > {
> >          super(service);
> > }
> > </code>.
> >
> > you can then handle URL hacks/timeouts/etc centrally, and make new secure
> > servlets by extending the SecureServlet
> >
> > <code>
> > public abstract class WhicheverServlet
> > extends SecureServlet
> > </code>
> >
> > i'm doing something like this, but also managing DenialofService
> > prevention, db connection pools, etc from the abstract servlet.
> >
> > Also means that as there is no chaining, etc, etc, then it will work as is
> > on any servlet engine and won't fall foul of changing specs.
> >
> >
> >
> >
> >
> > At 04:10 PM 5/30/00 +0200, you wrote:
> >>Hi,
> >>
> >>my webapplication starts with a form based user login. A database lookup is
> >>made to check if there is a user account. When the login is successfull an
> >>user object is inserted in the current session data. All other servlets 
> of my
> >>webapp should check if these user object exists and if not redirect the
> >>request to the login form.
> >>
> >>My idea is to implement a check servlet (or a simple class) which
> >>checks every request to my webapp before the requested servlet is called.
> >>Is this possible with tomcat or is there any other way to secure my webapp.
> >>
> >>Regards,
> >>
> >>         Christoph
> >>--
> >>+----------------------------------------------------------------------- 
> ----+
> >>| Dipl.-Inf. Christoph 
> Kulla                        mailto:kulla@metabox.de |
> >>| Met@box 
> AG                                          http://www.metabox.de |
> >>| Daimlerring 
> 37                                                            |
> >>| 31135 Hildesheim                                  Phone: 
> +49-5121-7533-0  |
> >>| Germany                                             Fax: 
> +49-5121-7533-78 |
> >>+----------------------------------------------------------------------- 
> ----+
> >>
> >>--------------------------------------------------------------------------
> >>To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> >>For additional commmands, email: tomcat-user-help@jakarta.apache.org
> >
> >
> > --------------------------------------------------------------------------
> > To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commmands, email: tomcat-user-help@jakarta.apache.org
>
>--------------------------------------------------------------------------
>To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commmands, email: tomcat-user-help@jakarta.apache.org


Mime
View raw message