Hi.
Sorry for the long post.
Given the lack of J2EE and servlet2.2 compliant application servers, I'm a bit
stuck on this one.
Suppose I want to use the declarative form-based authentication. This allows me
to specify the page to use to fetch the user ID and password. The form embedded
in this page must look like this :
<form method=�POST� action=�j_security_check�>
<input type=�text� name=�j_username�>
<input type=�password� name=�j_password�>
</form>
The container will then verify the user name and password and create a session.
And here come the problems.
First, where will the server look for the user name and password? How is it
configurable? I would like to be able to use a custom table, or a session bean
which will do the work for me, or a LDAP server, or <insert what you want here>.
Second, what will the cookie used as session ID (or appended string if URL
rewriting is used) contain? IMO, it should at least be a long secure random
number, else anybody could easily guess a session ID and access a protected
resource. Is it possible to configure the content of the cookie (it could
contain encrypted user-related info, for example)?
Third, for subsequent requests, the container will intercept the session ID and
try to map a session with this ID. Is this process configurable? Suppose I want
to check that the request comes from the same IP address as before. Suppose also
that I want to renew the session ID (new random number, or sequence number, or
anything else). Is it possible?
Four: if, for any of the above reasons, I end up with a proprietary form-based
authentication, not declarative, how do I set the user principal by myself? This
is necessary, because I still want to know the roles this principal is
associated with; I still want to pass this principal to the EJB calls, etc.
Five: if I still want to use the declarative form-based authentication, but also
want the users to be able to enroll themselves (choose a user ID and password),
how can I insert a new user in the user database and map him to some roles?
The authentication part, though enhanced in the latest specs, is still full of
big holes, unless I missed a big part. So if you could tell me what you think,
or what you know from different products, this would be nice.
Thanks.
JB.
--
Jean-Baptiste Nizet
[EMAIL PROTECTED]
R&D Engineer, S1 Belgium
Excelsiorlaan 87
B-1930 Zaventem
+32 2 714 45 42
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
