tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Bruce Lynes <>
Subject Re: user authentication
Date Tue, 14 Nov 2000 04:36:26 GMT
On Mon, 13 Nov 2000, Michelle wrote:

> I've been delving through the Tomcat archives and various guru site
> out there, trying to piece together a sound approach to handling
> user authentication and rights access.  I've seen some threads and
> articles on using sessions, some references in the Tomcat archives
> to JDBCRealm (which I cannot find anything more on), hooking into
> databases .. etc.  I find I am a bit miffed and coming here looking
> for some suggestions.
> My site ....
> > will have static and dynamic pages
> > will contain both protected and unprotected areas
> > in the protected areas, will require logins
> > each user will be assigned a role for the protected area
>     which grants access rights such as read, write, admin
>     - yes, an ACL model

For our system, we're managing it all through sessions.  When the person logs
in, their login information is checked against a database object.  If it
matches, they're logged in.  Otherwise, they're asked to provide a correct
login, or bugger off.

After they're logged in, there is a user object associated with their session
(session.setAttribute( user, "user" )).

It is through this user object that decides where they can access, and what they
can access.

> Any thoughts on the best approach?
> > Should I use JDBCRealm (an can someone send me the link
>    to docs please?)
> > Should I use the session object to hold a URL to role access
>     hash once a user logs?
> > Should I spin my own (YIKES!)?

That's what we chose to do.  However, we have very specific needs for our
project.  Perhaps you do not, for yours.  Perhaps you just want a UNIX-style ACL
system.  If that is the case, and you're not overly concerned about passwords
flying over the network, you might consider Apache access control files (if
you're using Apache), or whatever the similar item is for IIS.)

Daniel Lynes
eService System Corp.

View raw message