tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hughes, Tim" <tim.hug...@cgey.com>
Subject RE: Programmatic security with servlet mappings in tomcat
Date Tue, 03 Jul 2001 08:50:29 GMT

I did not want to use the container's authentication mechanism for several
reasons:

1. I can't store passwords and usernames in a database.
2. I get more control over the login process e.g. I can give different login
error message depending on the source of the login failiure (wrong password,
wrong username, etc ...) + I can log these login failiures (useful since
they may help in detecting "breakins").
3. I read in Wrox Professional Java Server Programming that "as of writing
this chapter, Tomcat (Version 3.1) does not completely support form-based
authentication. Although Tomcat includes an experimentation version of
form-based authentication, this is not suitable for demonstration purposes".


~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tim Hughes
~~~~~~~~~~~~~~~~~~~~~~~~~~



-----Original Message-----
From: Antony Bowesman [mailto:adb@teamware.com]
Sent: 3. juli 2001 10:32
To: tomcat-user@jakarta.apache.org
Subject: Re: Programmatic security with servlet mappings in tomcat


Pete,

pete wrote:
> 
> Tim,
> 
> there are several ways to implement this kind of security check. If you
> want a fullblown MVC model, you might consider looking at Struts or one
> of the other Apache-driven frameworks (Struts is the only one i have
> personal experience with).
> 
> with the example you give, i don't understand the need for a
> 'controller' jsp in this context.
> 
> The way i handle security in one of my apps is that i have a method in a
> session-bean (public void isAuthenticated()) that checks the user has a
> valid login, so all my jsps (except login.jsp) are wrapped in a
> statement like
> 
> <jsp:useBean id="Authentication" scope="session"
> class="com.mycompany.authentication"></jsp:useBean>
> 
> <%if (Authentication.isAuthenticated())
> {%>
> 
> .... rest of JSP goes here
> 
> <%}
> else
> {
> response.sendRedirect("./login.jsp");
> }
> %>
> 
> If a valid session key is already assigned, the method returns true. If
> username and password are supplied in request scope, isAuthenticated
> does a lookup to our authentication database, and if successful, sets a
> valid session key, and returns true.
> 
> If neither of these are true, isAuthenticated sets a 'you are not
> authenticated' message to be displayed by login.jsp,  returns false, and
> the user is redirected back to login.jsp

Interesting that you don't use the container's authentication mechanism
to protect pages.  What if someone writes an app that doesn't protect
the page.  Any reason why you chose this route?

Rgds
Antony


This message contains information that may be privileged or confidential and is the property
of the Cap Gemini Ernst & Young Group. It is intended only for the person to whom it is
addressed. If you are not the intended recipient, you are not authorized to read, print, retain,
copy, disseminate, distribute, or use this message or any part thereof. If you receive this
message in error, please notify the sender immediately and delete all copies of this message.

Mime
View raw message