tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alistair Hopkins <alist...@berthengron.co.uk>
Subject RE: How to setup login based security?
Date Tue, 30 May 2000 15:28:16 GMT
Weird.

You are making me feeling insecure in my security

i swear it works for me,  Tomcat 3.1 ( I think not B)

i'm pretty sure it's in the servlet specs as well

HOWEVER, the only other thing i can think of is that i am not yet running 
through apache but through the http runner: could that make a difference?

At 05:15 PM 5/30/00 +0200, you wrote:
>I have never gotten request.getSession(false) to return null either. Isn't a
>session created as soon as you enter the site using tomcat?
>I check a parameter that I set in the session instead. Not a desireable
>solution, but the only one that works for me so far.
>
>...
>// Kristina
>
>
>-----Original Message-----
>From: Alistair Hopkins [mailto:alistair@berthengron.co.uk]
>Sent: den 30 maj 2000 17:01
>To: tomcat-user@jakarta.apache.org
>Subject: Re: How to setup login based security?
>
>
>request.getSession() returns a new or existing session
>request.getSession(false) prevents this, and will only return an existing
>one
>
>it works fine for me.
>
>
>At 11:51 AM 5/30/00 -0400, you wrote:
> >this wont work...
> >
> >request.getSession(false) never returns null on tomcat
> >
> >returns a session even on the first request with tomcat.  Or is there a
> >setting that enforces this?
> >
> >rick
> >
> >----------
> > >From: Alistair Hopkins <alistair@berthengron.co.uk>
> > >To: tomcat-user@jakarta.apache.org
> > >Subject: Re: How to setup login based security?
> > >Date: Tue, May 30, 2000, 10:46 AM
> > >
> >
> > > Why not write an abstract servlet which checks this
> > >
> > > <code>
> > > public abstract class SecureServlet
> > > extends HttpServlet
> > > </code>
> > >
> > > where the service method checks the session before calling the normal
> > > service methods
> > >
> > > <code>
> > > HttpSession hs = request.getSession(false);
> > > if ( hs == null )
> > >   {
> > >              tell them to log in here
> > >   } else
> > > {
> > >          super(service);
> > > }
> > > </code>.
> > >
> > > you can then handle URL hacks/timeouts/etc centrally, and make new
>secure
> > > servlets by extending the SecureServlet
> > >
> > > <code>
> > > public abstract class WhicheverServlet
> > > extends SecureServlet
> > > </code>
> > >
> > > i'm doing something like this, but also managing DenialofService
> > > prevention, db connection pools, etc from the abstract servlet.
> > >
> > > Also means that as there is no chaining, etc, etc, then it will work as
>is
> > > on any servlet engine and won't fall foul of changing specs.
> > >
> > >
> > >
> > >
> > >
> > > At 04:10 PM 5/30/00 +0200, you wrote:
> > >>Hi,
> > >>
> > >>my webapplication starts with a form based user login. A database lookup
>is
> > >>made to check if there is a user account. When the login is successfull
>an
> > >>user object is inserted in the current session data. All other servlets
> > of my
> > >>webapp should check if these user object exists and if not redirect the
> > >>request to the login form.
> > >>
> > >>My idea is to implement a check servlet (or a simple class) which
> > >>checks every request to my webapp before the requested servlet is
>called.
> > >>Is this possible with tomcat or is there any other way to secure my
>webapp.
> > >>
> > >>Regards,
> > >>
> > >>         Christoph
> > >>--
> > >>+-----------------------------------------------------------------------
>
> > ----+
> > >>| Dipl.-Inf. Christoph
> > Kulla                        mailto:kulla@metabox.de |
> > >>| Met@box
> > AG                                          http://www.metabox.de |
> > >>| Daimlerring
> > 37                                                            |
> > >>| 31135 Hildesheim                                  Phone:
> > +49-5121-7533-0  |
> > >>| Germany                                             Fax:
> > +49-5121-7533-78 |
> > >>+-----------------------------------------------------------------------
>
> > ----+
> > >>
> >
> >>--------------------------------------------------------------------------
> > >>To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> > >>For additional commmands, email: tomcat-user-help@jakarta.apache.org
> > >
> > >
> > >
>--------------------------------------------------------------------------
> > > To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commmands, email: tomcat-user-help@jakarta.apache.org
> >
> >--------------------------------------------------------------------------
> >To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> >For additional commmands, email: tomcat-user-help@jakarta.apache.org
>
>
>--------------------------------------------------------------------------
>To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commmands, email: tomcat-user-help@jakarta.apache.org
>
>--------------------------------------------------------------------------
>To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commmands, email: tomcat-user-help@jakarta.apache.org


Mime
View raw message