"Maillet, David J." wrote:
> In a Model 2 environment, with a ControllerServlet calling corresponding
> Action classes based on the particular request, where should the
> authentication functionality go: In the ControllerServlet or in each Action
> class?
If you are rolling your own login authentication, putting it in the Controller
servlet is pretty easy. Just make sure that you allow the user to execute the
"login" action without being authenticated -- otherwise you're in a "Catch 22"
situation.
Note that putting authentication logic only in the servlet or action classes does
not protect you from the user trying to access one of your JSP pages directly -- it
will catch them only when they try to post. To prevent this, you'd also need to
add a check at the top of every JSP page.
>
> It seems that it makes sense to put it in just a single location, in the
> ControllerServlet. This way, the code is used in only one place, and no
> Action class can be added without authentication.
> But then, if authentication isn't needed for every page, then perhaps it
> needs to go in the Action classes? Yet it seems terribly redundant to
> repeat the functionality in every Action class.
Here is where the declarative security management described in the 2.2 servlet spec
starts to look really attractive. You declare the portions of the URL space that
need to be protected, the roles (usually equivalent to groups) that are allowed to
access those URLs, and link up your servlet container to your underlying "database"
of users and roles to do the authentication (in a manner defined by each servlet
container provider). If you need finer grain control (for instance, you might
modify the contents of a particular JSP page based on who the requestor is) you can
call request.isUserInRole() or request.getRemoteUser() to find out what you need to
know.
Note that this technique avoids the need to put your own authentication logic in
any of the places described above (controller servlet, action classes, or JSP
pages).
Craig McClanahan
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
