Emanuel,
No, I'm talking about using what the spec ensures a compatible container
provides you. Take the following web.xml deployment descriptor below.
It's the container's job to make sure I'm authenticated and authorized
before I get to access anthing in the "protected" directory; if I'm not
authenticated, the container (Tomcat in your case) will automatically
either pop up an auth window or forward you to the login page. Similar
mechanisms are available for EJB container stuff (right down to the
method, if you want it!). I suggest you get the servlet2.2 spec and
look it over before you go through the hassle of implementing your own
security code. If you choose form-based login, your jsp code only has
to look like this:
<form method="POST" action="j_security_check">
Username: <input type="text" name="j_username"><br>
Password: <intput type="password" name="j_password"><p>
<input type="submit" value="login" name="j_security_check">
</form>
If you are using Tomcat and want to see an example, look in
$TOMCAT_HOME/webapps/examples/jsp/security/.
Now, yes, of course at some point you need to connect it with your
company's underlying security particulars. In Tomcat, it's as easy as
creating a "Realm RequestInterceptor." They provide a "SimpleRealm" and
"JDBCRealm" out-of-the-box. Other containers have different ways of
doing it, but it's usually pretty straightforward.
Again, what I always tell people is that they should really read an
API's spec *before* they start designing their application that uses it.
If they don't read it, they will not be able to take advantage of all
its features, and will probably end up doing a lot more custom work than
they had to.
Regards,
David
--
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd";>
<web-app>
<display-name>Container Security Example</display-name>
<description>
This is a simple web application that demonstrates container-mananged
security.
</description>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<url-pattern>/protected/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>default</role-name>
</auth-constraint>
</security-constraint>
<!--
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Protected</realm-name>
</login-config>
-->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Protected</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>
--
Emanuel Galindo wrote:
> When you said 'I suggest letting the container manage security for you'
> you mean that manually check that for example, i'ts the session loaded or
> else send the user to a login page?? i have been looked for auth. examples
> and the filtering mode seens to be the best for me. Let's me write code
> and map to the servlet that requires it without insert code in the
> servlets.
>
> Emmanuel (writing like tarzan speaking Latin)
>
> On Tue, 22 May 2001, David Ward wrote:
>
>
>> Emanuel,
>>
>> Filters are introduced in the servlet 2.3 spec. I'm guessing your
>> servlet.jar is only 2.2, which is what comes with Tomcat 3.x. servlet
>> 2.3 will be part of Tomcat 4.
>>
>> On a side (design) note, I suggest letting the container manage security
>> for you. The Sun example is probably just trying to teach people about
>> Filters, without looking at the bigger picture (not sure; I haven't seen
>> it).
>>
>> Hope this helps,
>> David
>>
>> --
>>
>> Emanuel Galindo wrote:
>>
>>
>>> Hi, im designing auth process that map filter with a LogFilter servlet
>>> that parses incoming request.
>>> The code is tiny and it's structured base in an sun example.
>>> The problem come's when i compile it, i cannot reach the Filter class,
>>> obviusly either the FilterConfig or FilterChain.
>>> I decompress servlet.jar in an temp dir the servlet.jar (the java docs
>>> says that this libs comes in javax.servlet) from diferents versions i have
>>> and i cannot found it !!!
>>>
>>> This feature can save me time and any suggestion or answer of any type in
>>> this subject would be nice
>>>
>>> Thanks in advance
>>>
>>>
>>> _______________________________________________
>>> JBoss-user mailing list
>>> [EMAIL PROTECTED]
>>> http://lists.sourceforge.net/lists/listinfo/jboss-user
>>
>>
>>
>
>
> _______________________________________________
> JBoss-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-user
--
-----------------------------------------------------------------------
David Ward [EMAIL PROTECTED]
Senior Software Engineer http://www.dotech.com
Distributed Object Technologies, Inc. 716-381-8320 (phone)
500 Linden Oaks, Rochester, NY 14625 716-381-0598 (fax)
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
