tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steven Rock" <st...@ecirkit.org>
Subject RE: User-password from the HttpServletRequest
Date Wed, 02 May 2007 21:08:13 GMT
I use form based authentication backed by a Database Realm. After the user
logs in I can get the user info on top of every JSP page with this code
snippet.

<%
Principal principle = (Principal)request.getUserPrincipal();
User loggedInUser = JSPUtils.loadUser(session,  principle.getName());	//
fetches user from database, name is unique.	

loggedInUser.getPassword();
loggedInUser.getLastAccessDate();
loggedInUser.isAdmin();
loggedInUser.getEmail();
etc.
%>

User is my own custom object created with Hibernate mapped to the user
table. However this object can be created by straight sql/JDBC also. My code
also stores the User object in the session so that it is only loaded from
the database once. This way I don't have to do anything fancy to get all the
info I need on a User, straight database calls.

Cheers, 
-Steve Rock
eCirkit.com

-----Original Message-----
From: Johnny Kewl [mailto:john@kewlstuff.co.za] 
Sent: Wednesday, May 02, 2007 4:06 PM
To: Tomcat Users List
Subject: Re: User-password from the HttpServletRequest

JDBC I guess...

Maybe the difficulty is an indication that its not the right way to go...
For example if a user ever has to change their password... data is lost, or 
a huge procedure.

Think about this... maybe its a good idea.

Remember that if you see the user name in a page.... it means they 
authenticated.
So if the user gets to the code.... they had to come through the locked 
door...
And if the user is going to get the data back through the browser... this 
will probably work.

Invent a secret code.... A4H%BIGSECRETYtffguT    etc etc.
Then HASH that say using MD5 with the User name....
That becomes your password.... and you lock and unlock the data with that.
Not terrific cryptography... but it will work and users can change their 
passwords...
Could add some salt to that.... like the documents name.
Maybe.... good luck


----- Original Message ----- 
From: <sebbo@gmx.ch>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Wednesday, May 02, 2007 9:06 PM
Subject: Re: User-password from the HttpServletRequest


> Im using a DataSource Realm.
>
> Hmm but from where can I access the credentials?
>
>
>
> -------- Original-Nachricht --------
> Datum: Wed, 02 May 2007 20:00:04 +0100
> Von: Pid <p@pidster.com>
> An: Tomcat Users List <users@tomcat.apache.org>
> Betreff: Re: User-password from the HttpServletRequest
>
>> sebbo@gmx.ch wrote:
>> >> Do you mean during the login process, or after it has been done?
>> > I mean after the user has been logged in (form based login).
>> >
>> > Have you an example how I can receive the password from the
>> HttpServletRequest?
>>
>> You can't access the credential from HttpServletRequest object, it's not
>> made available as part of the Servlet spec.
>>
>> Which realm implementation are you using?
>>
>>
>> p
>>
>>
>> > greets
>> >
>> >
>> > -------- Original-Nachricht --------
>> > Datum: Wed, 02 May 2007 13:31:49 -0400
>> > Von: Christopher Schultz <chris@christopherschultz.net>
>> > An: Tomcat Users List <users@tomcat.apache.org>
>> > Betreff: Re: User-password from the HttpServletRequest
>> >
>> >> -----BEGIN PGP SIGNED MESSAGE-----
>> >> Hash: SHA1
>> >>
>> >> Sam,
>> >>
>> >> sebbo@gmx.ch wrote:
>> >>> How can I get the password from the logged in user via the
>> >>> HttpServletRequest in general? (I need the password in a servlet
>> >>> filter to do some stuff)
>> >> Do you mean during the login process, or after it has been done?
>> >>
>> >> Unless you can get a request object during the login process, you will
>> >> only be able to get the user's password when using BASIC 
>> >> authentication
>> >> (not FORM).
>> >>
>> >> You'll need to get the "Authorization" header from the request and
>> >> decode it to get the user's credentials. You can read all about HTTP
>> >> auth in RFC 2617 (http://www.faqs.org/rfcs/rfc2617.html) to determine
>> >> how to interpret the data found there.
>> >>
>> >>> And there some web server independent solution?
>> >> I assume that you mean /application server/-independent solution. Yes,
>> >> all (compliant) Java application servers support the servlet API.
>> >>
>> >> - -chris
>> >>
>> >> -----BEGIN PGP SIGNATURE-----
>> >> Version: GnuPG v1.4.7 (MingW32)
>> >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>> >>
>> >> iD8DBQFGOMsF9CaO5/Lv0PARAlIvAKChwWOlitX82IddFCuhseB/yVQKdgCgpwAN
>> >> IUy2xRS5++zOtJm/Zvfd31s=
>> >> =HvYe
>> >> -----END PGP SIGNATURE-----
>> >>
>> >> ---------------------------------------------------------------------
>> >> To start a new topic, e-mail: users@tomcat.apache.org
>> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> >> For additional commands, e-mail: users-help@tomcat.apache.org
>> >
>>
>
> -- 
> "Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ...
> Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message