I still disagree, and here's why: privileges should be assigned to roles,
not specific users. I don't know of a web server that doesn't support the
concept of a role; the idea is "don't expose this section of the web site to
people who aren't in this role," which means that the authentication
mechanism STILL takes care of it. If you're trying to not even expose a link
to a protected resource, it gets a TAD more complicated, but not by much:
you'd wrap the links in an if, based on role validation. In tag parlance:
<utils:ifInRole name="managers">
<a href="managerlink/">
ManagerLink
</a>
</utils:ifInRole>
Using scriptlets wouldn't be much different. This way, the container is
still maintaining this information, and your app doesn't have to know about
it - to me, this is STILL a more elegant solution.
I don't mean that you simply cannot win the "JBO Seal of Approval" (a very
valuable award - it, plus three quarters, will buy you a cup of coffee and a
lot of strange looks in most places) if you store user information in a
session - but that you don't have to store user information in sessions to
achieve what you're talking about. And you're also correct in that it's not
always black and white - but it is for most cases. (If you're in one of the
myriad cases where it's NOT black and white, then you generally know what to
do about it anyway.)
>From: Tom Preston <[EMAIL PROTECTED]>
>Reply-To: A mailing list about Java Server Pages specification and
> reference <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: Check security for userID & password
>Date: Thu, 22 Feb 2001 15:20:45 -0000
>
>There are cases where you may need to store some info about the user's
>authentication or privilege information in a session. Saying "don't ever
>put authentication information in a session" is wrong. You may have a set
>of private pages (or sites) that should only be seen by a certain set of
>users. It is not unacceptable on user login to store some info about this
>user's privs in the session....that way you don't continually go back to
>the
>db to check if it is ok for the user to see this page. You prob don't want
>to store the username/password in the session, but storing the users privs
>in memory is not necessarily bad....these auth questions often have to do
>with number of sites/pages that you support, different sets of users that
>you support, and total number of users that you support. This is not so
>black and white.
>
>
>>From: Joseph Ottinger <[EMAIL PROTECTED]>
>>Reply-To: A mailing list about Java Server Pages specification and
>> reference <[EMAIL PROTECTED]>
>>To: [EMAIL PROTECTED]
>>Subject: Re: Check security for userID & password
>>Date: Wed, 21 Feb 2001 09:05:46 -0500
>>
>>The *protocol* doesn't do anything but support the transmission of
>>authentication information. When a request for a protected resource is
>>made,
>>the server sends back a response saying "You need to send me
>>authentication
>>information for realm XYZ," which the browser turns into a dialog box (for
>>BASIC authentication; there are other methods, such as form-based, and
>>certificate-based.)
>>
>>Form-based is closer to what people expect here, but it's J2EE-specific as
>>far as I know; see the J2EE spec for more details. The end result in *all*
>>cases, however, is that the container manages the autentication, which is
>>what it's supposed to do - not what you're supposed to do.
>>
>>
>>>From: Piyush Jain <[EMAIL PROTECTED]>
>>>To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
>>>Subject: RE: Check security for userID & password
>>>Date: Wed, 21 Feb 2001 10:14:29 -0000
>>>
>>>
>>>Dear Mr.Joseph,
>>>
>>>I did not understand that how HTTP protocol will authenticate the user.
>>>If
>>>you could give me some example or link describing the same, i would be
>>>grateful to you.
>>>
>>>I am presently doing the same using static hashmap from a java class
>>>whose
>>>instance i am calling in every jsp page and the comparing the value of
>>>the
>>>key.
>>>
>>>hope i am not disturbing you and clear in my question.
>>>
>>>Best Regards
>>>piyush.
>>>-----Original Message-----
>>>From: Joseph Ottinger [SMTP:[EMAIL PROTECTED]]
>>>Sent: Tuesday, February 20, 2001 9:19 PM
>>>To: [EMAIL PROTECTED]
>>>Subject: Re: Check security for userID & password
>>>
>>>You're doing too much work. The HTTP protocol allows authentication and
>>>authorization to be handled by the web server; it's usually easier to
>>>maintain, and is much faster than handling it yourself. Adding an
>>>interception servlet is all well and good, but adds a manual interception
>>>point; if the protocol supports it, it's going to be faster and more
>>>portable than a hand-written solution.
>>>
>>>Don't store user/pass in sessions!
>>>
>>>
>>> >From: CJ Smessaert <[EMAIL PROTECTED]>
>>> >Reply-To: A mailing list about Java Server Pages specification and
>>> > reference <[EMAIL PROTECTED]>
>>> >To: [EMAIL PROTECTED]
>>> >Subject: Re: Check security for userID & password
>>> >Date: Tue, 20 Feb 2001 09:24:50 -0600
>>> >
>>> >i solved this using a bit of a 'hybrid'. basically, i registered an
>>> >authentication servlet as an alias within the servlet container, mapped
>>>to
>>> >/. so, anytime a user requests a url with the alias in it, the servlet
>>>gets
>>> >executed, checking whether the user is authenticated. if they aren't,
>>>they
>>> >get redirected to login. if they are, they see the requested item.
>>> >
>>> >nice thing is, it works for ANY content requested (.html, .pdf, etc)
>>>and
>>> >not
>>> >just .jsp.
>>> >
>>> >
>>> >-----Original Message-----
>>> >From: Hines, Bill [mailto:[EMAIL PROTECTED]]
>>> >Sent: Tuesday, February 20, 2001 8:11 AM
>>> >To: [EMAIL PROTECTED]
>>> >Subject: Re: Check security for userID & password
>>> >
>>> >
>>> >But also, doing it this way (with no tags in the page), you are
>>>allowing
>>>a
>>> >non-logged in user to see the JSP page. In some cases this is
>>>unacceptable,
>>> >and you must have a tag at the top of each page that checks to see if
>>>the
>>> >user is logged in.
>>> >
>>> >Bill Hines
>>> >Hershey Foods.
>>> >
>>> >-----Original Message-----
>>> >From: Sachin S. Khanna [mailto:[EMAIL PROTECTED]]
>>> >Sent: Tuesday, February 20, 2001 1:54 AM
>>> >To: [EMAIL PROTECTED]
>>> >Subject: Re: Check security for userID & password
>>> >
>>> >Two ways of doing it depending on which architecture model are you
>>>using
>>> >Assuming you have a Login Bean which would hold the user name and
>>>password
>>> >which is placed into the users session when the user successfully logs
>>>in.
>>> >If you are using the Model 2 architecture keep a check (an if
>>>statement)
>>>in
>>> >the controller servlet which would try to get the Login Bean from the
>>>users
>>> >session (using the getAttribute() method ). If it returns null then
>>> >redirect
>>> >the user to the login page, if not give him the access.
>>> >In case you are using the Model 1 architecture, you would need to place
>>>the
>>> >check (an if statement) in every jsp page that requires the user to be
>>> >logged in.
>>> >Have a nice day.
>>> >With regards,
>>> >Sachin S. Khanna.
>>> >www.emailanorder.com
>>> >
>>> >===========================================================================
>>> >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
>>> >JSP-INTEREST".
>>> >For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
>>> >DIGEST".
>>> >Some relevant FAQs on JSP/Servlets can be found at:
>>> >
>>> > http://java.sun.com/products/jsp/faq.html
>>> > http://www.esperanto.org.nz/jsp/jspfaq.html
>>> > http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
>>> > http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
>>> >
>>> >===========================================================================
>>> >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
>>> >JSP-INTEREST".
>>> >For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
>>> >DIGEST".
>>> >Some relevant FAQs on JSP/Servlets can be found at:
>>> >
>>> > http://java.sun.com/products/jsp/faq.html
>>> > http://www.esperanto.org.nz/jsp/jspfaq.html
>>> > http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
>>> > http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
>>>
>>>_________________________________________________________________
>>>Get your FREE download of MSN Explorer at http://explorer.msn.com
>>>
>>>===========================================================================
>>>To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
>>>JSP-INTEREST".
>>>For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
>>>DIGEST".
>>>Some relevant FAQs on JSP/Servlets can be found at:
>>>
>>> http://java.sun.com/products/jsp/faq.html
>>> http://www.esperanto.org.nz/jsp/jspfaq.html
>>> http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
>>> http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
>>
>>_________________________________________________________________
>>Get your FREE download of MSN Explorer at http://explorer.msn.com
>>
>>===========================================================================
>>To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
>>JSP-INTEREST".
>>For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
>>DIGEST".
>>Some relevant FAQs on JSP/Servlets can be found at:
>>
>>http://java.sun.com/products/jsp/faq.html
>>http://www.esperanto.org.nz/jsp/jspfaq.html
>>http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
>>http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com
>
>===========================================================================
>To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
>JSP-INTEREST".
>For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
>DIGEST".
>Some relevant FAQs on JSP/Servlets can be found at:
>
>http://java.sun.com/products/jsp/faq.html
>http://www.esperanto.org.nz/jsp/jspfaq.html
>http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
>http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
