How about making people sign-in with a password and thier e-mail address as a user ID? This kind of thing is used at a lot of web sites and is self-administering. Here's a 10000 foot view of how I have handled a similar situation... ...the web application has only a single "main" servlet. All requests go through the main servlet and then the main servlet forwards the requests to other servlets. There are many ways to accomplish this, for instance you could have a parameter that denotes the page. ...the main servlet checks the HttpSession associated with an incoming request for previously saved user info. If not found then the user is presented with a screen to sign-in or register. ....If the user is new then they will choose to register by giving you an e-mail address and a password. In response your servlet will send a message to the given e-mail address asking the user to confirm that they really reside at the given address. See the Java Mail API for info on sending/retrieving mail. When you get proper confirmation from the user (the response should contain some unique info from the confrmation message you send) then put the e-mail address and password in a user database. ...If the user has previously registered/confirmed then they will enter an e-mail address and password at the sign-in screen and you will verify them against the user database and put the user info in the session associated with the request. Now you will have user info associated with every request and you can track what pages they look at and you don't have to build a user database. ted stockwell > -----Original Message----- > From: Kevin Mukhar [SMTP:[EMAIL PROTECTED]] > Sent: Friday, October 08, 1999 8:48 AM > To: [EMAIL PROTECTED] > Subject: Re: How to get a users email address ? > > Alan Smith wrote: > > > > In this particular application they do have an email address. All the > > traffic for the site is internal to the bank, which I am currently > > working for, and there are no external users. As the data the site is > > presenting is sensitive the PHB's want to know who is looking at it. > > > > Registered users isn't an option because of the "management" overhead of > > maintaining a user database so there are only a few "well known" user > > names and passwords to log into the site. > > IP addresses are not really an option because they don't have a central > > database of who has got which IP address (they just dole out batches of > > them to different departments). > > > > The only other unique id I could think of was their email address. The > > idea being that as the different servlets are invoked I can log who is > > looking at what. However now I cannot figure out how to get their email > > address. > > Well, then, you're pretty well up a creek. The HTTP protocol, which is the > general method for communicating with a servlet, does not specify a field > for > the user's email address. There is no way to _automatically_ get it from > an > HttpServletRequest. > > Suggestions: > > - Tell the PHB's that there's no way to do it, and that if they have a > concern > about who is looking at the data, then they have a bigger problem that > they need > to solve first. > - Having only a few well known user names and passwords is not a very good > solution in terms of security. Suck it up and force separate > username/passwords > for every user. > - Okay, so you still don't want separate username/passwords? Force > separate > username/passwords for your part of the system. You might be forced to use > a > flat file as your user database, but it can't be that bad can it? (Of > course, > this doesn't scale well, and if you really do have thousands and thousands > of > users, you'll want to go back to the previous suggestion.) Alternately, if > there > are email addresses, there's probably a directory service associated with > the > mail service. You can still force them to sign in with a username, and if > you > are able to talk to the directory server, you can cross-check the username > against the directory server. > - The HTPP request DOES include the referrer address. You can use > getRemoteHost > or getRemoteAddr to retrieve that information. Tell the PHB that machine > IP > address is the best that can be done. If there's a problem, you know the > IP > address and can use that (with a little bit of leg work) to find the > actual > machine, and from there, find out who was logged on at the time the > request was > made. > > Kevin Mukhar > > ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
