One method I've used fairly successfully is to let the webserver do the
authentication -- this allows your site to be added to other sites and rely
on their authentication.
All I do is turn on the built-in auth for the web server, and it takes care
of sending a WWW-Authenticate header to users who don't yet have an
Authenticate header in their requests. Of course, the basic auth is simple
user/pass using crypt, but various servers offer different auth methods such
as client-side certificates, etc.
With something like Apache, you can even write your own DSO authorization
add-in.
In order to cut down on admin tasks, I also generally automate the new user
creation -- the error link for unauthorized access attempts causes a
redirect to an unprotected new user creation site, where users step through
a wizard that gathers their info.
Once the info has been gathered, I create a user entry (on Apache, I exec
the htpasswd command in a JSP) and then redirect the user to the page they
originally tried to hit.
Once a user successfully enters the site, I use the remote username as a
lookup key to get the user's personalization info.
_3
M
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
