tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alistair Hopkins <alist...@berthengron.co.uk>
Subject Re: How to setup login based security?
Date Tue, 30 May 2000 16:03:53 GMT
the only other thing I can see is that when i create the sessions I am 
checking for, i explicitly say

request.getSession(true)  rather than request.getSession()

So, perhaps that makes the difference.

?


At 12:46 PM 5/30/00 -0400, you wrote:
>I am going through the http runner as well and request.getSession(false)
>never returns null, even on a fresh browser
>
>----------
> >From: Alistair Hopkins <alistair@berthengron.co.uk>
> >To: tomcat-user@jakarta.apache.org
> >Subject: RE: How to setup login based security?
> >Date: Tue, May 30, 2000, 11:28 AM
> >
>
> > Weird.
> >
> > You are making me feeling insecure in my security
> >
> > i swear it works for me,  Tomcat 3.1 ( I think not B)
> >
> > i'm pretty sure it's in the servlet specs as well
> >
> > HOWEVER, the only other thing i can think of is that i am not yet running
> > through apache but through the http runner: could that make a difference?
> >
> > At 05:15 PM 5/30/00 +0200, you wrote:
> >>I have never gotten request.getSession(false) to return null either. 
> Isn't a
> >>session created as soon as you enter the site using tomcat?
> >>I check a parameter that I set in the session instead. Not a desireable
> >>solution, but the only one that works for me so far.
> >>
> >>...
> >>// Kristina
> >>
> >>
> >>-----Original Message-----
> >>From: Alistair Hopkins [mailto:alistair@berthengron.co.uk]
> >>Sent: den 30 maj 2000 17:01
> >>To: tomcat-user@jakarta.apache.org
> >>Subject: Re: How to setup login based security?
> >>
> >>
> >>request.getSession() returns a new or existing session
> >>request.getSession(false) prevents this, and will only return an existing
> >>one
> >>
> >>it works fine for me.
> >>
> >>
> >>At 11:51 AM 5/30/00 -0400, you wrote:
> >> >this wont work...
> >> >
> >> >request.getSession(false) never returns null on tomcat
> >> >
> >> >returns a session even on the first request with tomcat.  Or is there a
> >> >setting that enforces this?
> >> >
> >> >rick
> >> >
> >> >----------
> >> > >From: Alistair Hopkins <alistair@berthengron.co.uk>
> >> > >To: tomcat-user@jakarta.apache.org
> >> > >Subject: Re: How to setup login based security?
> >> > >Date: Tue, May 30, 2000, 10:46 AM
> >> > >
> >> >
> >> > > Why not write an abstract servlet which checks this
> >> > >
> >> > > <code>
> >> > > public abstract class SecureServlet
> >> > > extends HttpServlet
> >> > > </code>
> >> > >
> >> > > where the service method checks the session before calling the normal
> >> > > service methods
> >> > >
> >> > > <code>
> >> > > HttpSession hs = request.getSession(false);
> >> > > if ( hs == null )
> >> > >   {
> >> > >              tell them to log in here
> >> > >   } else
> >> > > {
> >> > >          super(service);
> >> > > }
> >> > > </code>.
> >> > >
> >> > > you can then handle URL hacks/timeouts/etc centrally, and make new
> >>secure
> >> > > servlets by extending the SecureServlet
> >> > >
> >> > > <code>
> >> > > public abstract class WhicheverServlet
> >> > > extends SecureServlet
> >> > > </code>
> >> > >
> >> > > i'm doing something like this, but also managing DenialofService
> >> > > prevention, db connection pools, etc from the abstract servlet.
> >> > >
> >> > > Also means that as there is no chaining, etc, etc, then it will 
> work as
> >>is
> >> > > on any servlet engine and won't fall foul of changing specs.
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > At 04:10 PM 5/30/00 +0200, you wrote:
> >> > >>Hi,
> >> > >>
> >> > >>my webapplication starts with a form based user login. A database

> lookup
> >>is
> >> > >>made to check if there is a user account. When the login is 
> successfull
> >>an
> >> > >>user object is inserted in the current session data. All other

> servlets
> >> > of my
> >> > >>webapp should check if these user object exists and if not 
> redirect the
> >> > >>request to the login form.
> >> > >>
> >> > >>My idea is to implement a check servlet (or a simple class) which
> >> > >>checks every request to my webapp before the requested servlet
is
> >>called.
> >> > >>Is this possible with tomcat or is there any other way to secure
my
> >>webapp.
> >> > >>
> >> > >>Regards,
> >> > >>
> >> > >>         Christoph
> >> > >>--
> >> > >>+------------------------------------------------------------------

> -----
> >>
> >> > ----+
> >> > >>| Dipl.-Inf. Christoph
> >> > Kulla                        mailto:kulla@metabox.de |
> >> > >>| Met@box
> >> > AG                                          http://www.metabox.de |
> >> > >>| Daimlerring
> >> > 37                                                            |
> >> > >>| 31135 Hildesheim                                  Phone:
> >> > +49-5121-7533-0  |
> >> > >>| Germany                                             Fax:
> >> > +49-5121-7533-78 |
> >> > >>+------------------------------------------------------------------

> -----
> >>
> >> > ----+
> >> > >>
> >> >
> >> >>---------------------------------------------------------------------

> -----
> >> > >>To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> >> > >>For additional commmands, email: tomcat-user-help@jakarta.apache.org
> >> > >
> >> > >
> >> > >
> >>--------------------------------------------------------------------------
> >> > > To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> >> > > For additional commmands, email: tomcat-user-help@jakarta.apache.org
> >> >
> >> >---------------------------------------------------------------------- 
> ----
> >> >To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> >> >For additional commmands, email: tomcat-user-help@jakarta.apache.org
> >>
> >>
> >>--------------------------------------------------------------------------
> >>To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> >>For additional commmands, email: tomcat-user-help@jakarta.apache.org
> >>
> >>--------------------------------------------------------------------------
> >>To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> >>For additional commmands, email: tomcat-user-help@jakarta.apache.org
> >
> >
> > --------------------------------------------------------------------------
> > To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commmands, email: tomcat-user-help@jakarta.apache.org
>
>--------------------------------------------------------------------------
>To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commmands, email: tomcat-user-help@jakarta.apache.org


Alistair Hopkins


Mime
View raw message