Alan Smith wrote:
>
> In this particular application they do have an email address. All the
> traffic for the site is internal to the bank, which I am currently
> working for, and there are no external users. As the data the site is
> presenting is sensitive the PHB's want to know who is looking at it.
>
> Registered users isn't an option because of the "management" overhead of
> maintaining a user database so there are only a few "well known" user
> names and passwords to log into the site.
> IP addresses are not really an option because they don't have a central
> database of who has got which IP address (they just dole out batches of
> them to different departments).
>
> The only other unique id I could think of was their email address. The
> idea being that as the different servlets are invoked I can log who is
> looking at what. However now I cannot figure out how to get their email
> address.
Well, then, you're pretty well up a creek. The HTTP protocol, which is the
general method for communicating with a servlet, does not specify a field for
the user's email address. There is no way to _automatically_ get it from an
HttpServletRequest.
Suggestions:
- Tell the PHB's that there's no way to do it, and that if they have a concern
about who is looking at the data, then they have a bigger problem that they need
to solve first.
- Having only a few well known user names and passwords is not a very good
solution in terms of security. Suck it up and force separate username/passwords
for every user.
- Okay, so you still don't want separate username/passwords? Force separate
username/passwords for your part of the system. You might be forced to use a
flat file as your user database, but it can't be that bad can it? (Of course,
this doesn't scale well, and if you really do have thousands and thousands of
users, you'll want to go back to the previous suggestion.) Alternately, if there
are email addresses, there's probably a directory service associated with the
mail service. You can still force them to sign in with a username, and if you
are able to talk to the directory server, you can cross-check the username
against the directory server.
- The HTPP request DOES include the referrer address. You can use getRemoteHost
or getRemoteAddr to retrieve that information. Tell the PHB that machine IP
address is the best that can be done. If there's a problem, you know the IP
address and can use that (with a little bit of leg work) to find the actual
machine, and from there, find out who was logged on at the time the request was
made.
Kevin Mukhar
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
