Alan:
Maybe you can use a cookie in this situation? Something like this perhaps:
Have a servlet that checks for the cookie when your user first hits the
sensitive part of the site. If it's not there, ask them for their email
address & password - then use a directory service (if you've got one on your
network) to validate it & stash the cookie on their client side. It still
means they have to "log in", but basically only once.
Alternative: Do they log in to an NT domain or onto a Win95/98 box at the
client side? You can have a signed applet read that info then if needs be,
and use it to establish who they are?
Good luck in any case
Mike
Javacorporate Ltd
> -----Original Message-----
> From: A mailing list for discussion about Sun Microsystem's
> Java Servlet
> API Technology. [mailto:[EMAIL PROTECTED]]On
> Behalf Of Kevin
> Mukhar
> Sent: Friday, October 08, 1999 9:48 AM
> To: [EMAIL PROTECTED]
> Subject: Re: How to get a users email address ?
>
>
> Alan Smith wrote:
> >
> > In this particular application they do have an email
> address. All the
> > traffic for the site is internal to the bank, which I am currently
> > working for, and there are no external users. As the data
> the site is
> > presenting is sensitive the PHB's want to know who is looking at it.
> >
> > Registered users isn't an option because of the
> "management" overhead of
> > maintaining a user database so there are only a few "well
> known" user
> > names and passwords to log into the site.
> > IP addresses are not really an option because they don't
> have a central
> > database of who has got which IP address (they just dole
> out batches of
> > them to different departments).
> >
> > The only other unique id I could think of was their email
> address. The
> > idea being that as the different servlets are invoked I can
> log who is
> > looking at what. However now I cannot figure out how to get
> their email
> > address.
>
> Well, then, you're pretty well up a creek. The HTTP protocol,
> which is the
> general method for communicating with a servlet, does not
> specify a field for
> the user's email address. There is no way to _automatically_
> get it from an
> HttpServletRequest.
>
> Suggestions:
>
> - Tell the PHB's that there's no way to do it, and that if
> they have a concern
> about who is looking at the data, then they have a bigger
> problem that they need
> to solve first.
> - Having only a few well known user names and passwords is
> not a very good
> solution in terms of security. Suck it up and force separate
> username/passwords
> for every user.
> - Okay, so you still don't want separate username/passwords?
> Force separate
> username/passwords for your part of the system. You might be
> forced to use a
> flat file as your user database, but it can't be that bad can
> it? (Of course,
> this doesn't scale well, and if you really do have thousands
> and thousands of
> users, you'll want to go back to the previous suggestion.)
> Alternately, if there
> are email addresses, there's probably a directory service
> associated with the
> mail service. You can still force them to sign in with a
> username, and if you
> are able to talk to the directory server, you can cross-check
> the username
> against the directory server.
> - The HTPP request DOES include the referrer address. You can
> use getRemoteHost
> or getRemoteAddr to retrieve that information. Tell the PHB
> that machine IP
> address is the best that can be done. If there's a problem,
> you know the IP
> address and can use that (with a little bit of leg work) to
> find the actual
> machine, and from there, find out who was logged on at the
> time the request was
> made.
>
> Kevin Mukhar
>
> ______________________________________________________________
> _____________
> To unsubscribe, send email to [EMAIL PROTECTED] and
> include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources:
http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
