There are cases where you may need to store some info about the user's
authentication or privilege information in a session. Saying "don't ever
put authentication information in a session" is wrong. You may have a set
of private pages (or sites) that should only be seen by a certain set of
users. It is not unacceptable on user login to store some info about this
user's privs in the session....that way you don't continually go back to the
db to check if it is ok for the user to see this page. You prob don't want
to store the username/password in the session, but storing the users privs
in memory is not necessarily bad....these auth questions often have to do
with number of sites/pages that you support, different sets of users that
you support, and total number of users that you support. This is not so
black and white.
>From: Joseph Ottinger <[EMAIL PROTECTED]>
>Reply-To: A mailing list about Java Server Pages specification and
> reference <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: Check security for userID & password
>Date: Wed, 21 Feb 2001 09:05:46 -0500
>
>The *protocol* doesn't do anything but support the transmission of
>authentication information. When a request for a protected resource is
>made,
>the server sends back a response saying "You need to send me authentication
>information for realm XYZ," which the browser turns into a dialog box (for
>BASIC authentication; there are other methods, such as form-based, and
>certificate-based.)
>
>Form-based is closer to what people expect here, but it's J2EE-specific as
>far as I know; see the J2EE spec for more details. The end result in *all*
>cases, however, is that the container manages the autentication, which is
>what it's supposed to do - not what you're supposed to do.
>
>
>>From: Piyush Jain <[EMAIL PROTECTED]>
>>To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
>>Subject: RE: Check security for userID & password
>>Date: Wed, 21 Feb 2001 10:14:29 -0000
>>
>>
>>Dear Mr.Joseph,
>>
>>I did not understand that how HTTP protocol will authenticate the user. If
>>you could give me some example or link describing the same, i would be
>>grateful to you.
>>
>>I am presently doing the same using static hashmap from a java class whose
>>instance i am calling in every jsp page and the comparing the value of the
>>key.
>>
>>hope i am not disturbing you and clear in my question.
>>
>>Best Regards
>>piyush.
>>-----Original Message-----
>>From: Joseph Ottinger [SMTP:[EMAIL PROTECTED]]
>>Sent: Tuesday, February 20, 2001 9:19 PM
>>To: [EMAIL PROTECTED]
>>Subject: Re: Check security for userID & password
>>
>>You're doing too much work. The HTTP protocol allows authentication and
>>authorization to be handled by the web server; it's usually easier to
>>maintain, and is much faster than handling it yourself. Adding an
>>interception servlet is all well and good, but adds a manual interception
>>point; if the protocol supports it, it's going to be faster and more
>>portable than a hand-written solution.
>>
>>Don't store user/pass in sessions!
>>
>>
>> >From: CJ Smessaert <[EMAIL PROTECTED]>
>> >Reply-To: A mailing list about Java Server Pages specification and
>> > reference <[EMAIL PROTECTED]>
>> >To: [EMAIL PROTECTED]
>> >Subject: Re: Check security for userID & password
>> >Date: Tue, 20 Feb 2001 09:24:50 -0600
>> >
>> >i solved this using a bit of a 'hybrid'. basically, i registered an
>> >authentication servlet as an alias within the servlet container, mapped
>>to
>> >/. so, anytime a user requests a url with the alias in it, the servlet
>>gets
>> >executed, checking whether the user is authenticated. if they aren't,
>>they
>> >get redirected to login. if they are, they see the requested item.
>> >
>> >nice thing is, it works for ANY content requested (.html, .pdf, etc) and
>> >not
>> >just .jsp.
>> >
>> >
>> >-----Original Message-----
>> >From: Hines, Bill [mailto:[EMAIL PROTECTED]]
>> >Sent: Tuesday, February 20, 2001 8:11 AM
>> >To: [EMAIL PROTECTED]
>> >Subject: Re: Check security for userID & password
>> >
>> >
>> >But also, doing it this way (with no tags in the page), you are allowing
>>a
>> >non-logged in user to see the JSP page. In some cases this is
>>unacceptable,
>> >and you must have a tag at the top of each page that checks to see if
>>the
>> >user is logged in.
>> >
>> >Bill Hines
>> >Hershey Foods.
>> >
>> >-----Original Message-----
>> >From: Sachin S. Khanna [mailto:[EMAIL PROTECTED]]
>> >Sent: Tuesday, February 20, 2001 1:54 AM
>> >To: [EMAIL PROTECTED]
>> >Subject: Re: Check security for userID & password
>> >
>> >Two ways of doing it depending on which architecture model are you using
>> >Assuming you have a Login Bean which would hold the user name and
>>password
>> >which is placed into the users session when the user successfully logs
>>in.
>> >If you are using the Model 2 architecture keep a check (an if statement)
>>in
>> >the controller servlet which would try to get the Login Bean from the
>>users
>> >session (using the getAttribute() method ). If it returns null then
>> >redirect
>> >the user to the login page, if not give him the access.
>> >In case you are using the Model 1 architecture, you would need to place
>>the
>> >check (an if statement) in every jsp page that requires the user to be
>> >logged in.
>> >Have a nice day.
>> >With regards,
>> >Sachin S. Khanna.
>> >www.emailanorder.com
>> >
>> >===========================================================================
>> >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
>> >JSP-INTEREST".
>> >For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
>> >DIGEST".
>> >Some relevant FAQs on JSP/Servlets can be found at:
>> >
>> > http://java.sun.com/products/jsp/faq.html
>> > http://www.esperanto.org.nz/jsp/jspfaq.html
>> > http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
>> > http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
>> >
>> >===========================================================================
>> >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
>> >JSP-INTEREST".
>> >For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
>> >DIGEST".
>> >Some relevant FAQs on JSP/Servlets can be found at:
>> >
>> > http://java.sun.com/products/jsp/faq.html
>> > http://www.esperanto.org.nz/jsp/jspfaq.html
>> > http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
>> > http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
>>
>>_________________________________________________________________
>>Get your FREE download of MSN Explorer at http://explorer.msn.com
>>
>>===========================================================================
>>To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
>>JSP-INTEREST".
>>For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
>>DIGEST".
>>Some relevant FAQs on JSP/Servlets can be found at:
>>
>> http://java.sun.com/products/jsp/faq.html
>> http://www.esperanto.org.nz/jsp/jspfaq.html
>> http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
>> http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com
>
>===========================================================================
>To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
>JSP-INTEREST".
>For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
>DIGEST".
>Some relevant FAQs on JSP/Servlets can be found at:
>
>http://java.sun.com/products/jsp/faq.html
>http://www.esperanto.org.nz/jsp/jspfaq.html
>http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
>http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
