tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alistair Hopkins <alist...@berthengron.co.uk>
Subject Re: How to setup login based security?
Date Tue, 30 May 2000 15:33:30 GMT
here's mine.  i have barely touched it except to configure cocoon.



At 12:22 PM 5/30/00 -0400, you wrote:
>I get the same behavior which is not the the behaviour of other appservers,
>been trying to get a straight answer for a while now.  IS there a setting in
>web.xml or server.xml which enforces this.  Does anybody else actually get
>request.getSession(false) to return null,  if so lets see your web.xml
>
>rick
>
>----------
> >From: Kristina Öhgren <kristina.ohgren@mind.com>
> >To: tomcat-user@jakarta.apache.org
> >Subject: RE: How to setup login based security?
> >Date: Tue, May 30, 2000, 11:15 AM
> >
>
> > I have never gotten request.getSession(false) to return null either. 
> Isn't a
> > session created as soon as you enter the site using tomcat?
> > I check a parameter that I set in the session instead. Not a desireable
> > solution, but the only one that works for me so far.
> >
> > ...
> > // Kristina
> >
> >
> > -----Original Message-----
> > From: Alistair Hopkins [mailto:alistair@berthengron.co.uk]
> > Sent: den 30 maj 2000 17:01
> > To: tomcat-user@jakarta.apache.org
> > Subject: Re: How to setup login based security?
> >
> >
> > request.getSession() returns a new or existing session
> > request.getSession(false) prevents this, and will only return an existing
> > one
> >
> > it works fine for me.
> >
> >
> > At 11:51 AM 5/30/00 -0400, you wrote:
> >>this wont work...
> >>
> >>request.getSession(false) never returns null on tomcat
> >>
> >>returns a session even on the first request with tomcat.  Or is there a
> >>setting that enforces this?
> >>
> >>rick
> >>
> >>----------
> >> >From: Alistair Hopkins <alistair@berthengron.co.uk>
> >> >To: tomcat-user@jakarta.apache.org
> >> >Subject: Re: How to setup login based security?
> >> >Date: Tue, May 30, 2000, 10:46 AM
> >> >
> >>
> >> > Why not write an abstract servlet which checks this
> >> >
> >> > <code>
> >> > public abstract class SecureServlet
> >> > extends HttpServlet
> >> > </code>
> >> >
> >> > where the service method checks the session before calling the normal
> >> > service methods
> >> >
> >> > <code>
> >> > HttpSession hs = request.getSession(false);
> >> > if ( hs == null )
> >> >   {
> >> >              tell them to log in here
> >> >   } else
> >> > {
> >> >          super(service);
> >> > }
> >> > </code>.
> >> >
> >> > you can then handle URL hacks/timeouts/etc centrally, and make new
> > secure
> >> > servlets by extending the SecureServlet
> >> >
> >> > <code>
> >> > public abstract class WhicheverServlet
> >> > extends SecureServlet
> >> > </code>
> >> >
> >> > i'm doing something like this, but also managing DenialofService
> >> > prevention, db connection pools, etc from the abstract servlet.
> >> >
> >> > Also means that as there is no chaining, etc, etc, then it will work as
> > is
> >> > on any servlet engine and won't fall foul of changing specs.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > At 04:10 PM 5/30/00 +0200, you wrote:
> >> >>Hi,
> >> >>
> >> >>my webapplication starts with a form based user login. A database lookup
> > is
> >> >>made to check if there is a user account. When the login is successfull
> > an
> >> >>user object is inserted in the current session data. All other servlets
> >> of my
> >> >>webapp should check if these user object exists and if not redirect
the
> >> >>request to the login form.
> >> >>
> >> >>My idea is to implement a check servlet (or a simple class) which
> >> >>checks every request to my webapp before the requested servlet is
> > called.
> >> >>Is this possible with tomcat or is there any other way to secure my
> > webapp.
> >> >>
> >> >>Regards,
> >> >>
> >> >>         Christoph
> >> >>--
> >> >>+-----------------------------------------------------------------------
> >
> >> ----+
> >> >>| Dipl.-Inf. Christoph
> >> Kulla                        mailto:kulla@metabox.de |
> >> >>| Met@box
> >> AG                                          http://www.metabox.de |
> >> >>| Daimlerring
> >> 37                                                            |
> >> >>| 31135 Hildesheim                                  Phone:
> >> +49-5121-7533-0  |
> >> >>| Germany                                             Fax:
> >> +49-5121-7533-78 |
> >> >>+-----------------------------------------------------------------------
> >
> >> ----+
> >> >>
> >>
> >>>--------------------------------------------------------------------------
> >> >>To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> >> >>For additional commmands, email: tomcat-user-help@jakarta.apache.org
> >> >
> >> >
> >> >
> > --------------------------------------------------------------------------
> >> > To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> >> > For additional commmands, email: tomcat-user-help@jakarta.apache.org
> >>
> >>--------------------------------------------------------------------------
> >>To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> >>For additional commmands, email: tomcat-user-help@jakarta.apache.org
> >
> >
> > --------------------------------------------------------------------------
> > To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commmands, email: tomcat-user-help@jakarta.apache.org
> >
> > --------------------------------------------------------------------------
> > To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commmands, email: tomcat-user-help@jakarta.apache.org
>
>--------------------------------------------------------------------------
>To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commmands, email: tomcat-user-help@jakarta.apache.org

Mime
View raw message