The system we are developing checks the session for a cached "principal"
(Java Secutiry API) instance... if present we then check if the proper
"permission" (another Java Security API object) is attached for the service
/ access being requested. Unless the principal exists and is authorized the
servlet cannot access the service on behalf of the user (represented by the
principal... When we authenticate (we also use a combination of LDAP and
db), if the user is authenticated a principal instance is created, the
assigned permissions are added, and attached to the session.
Just a few thoughts, hope they help.
Daniel Kaschner
Systems Architect
eBenx
605 North Hwy. 169
Suite LL
Minneapolis, MN 55441-6465
(763) 614-2211
[EMAIL PROTECTED]
-----Original Message-----
From: Steven Irwin [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 15, 2000 11:59 PM
To: [EMAIL PROTECTED]
Subject: Re: basic authentication and servlets
I have the same problem... I authenticate users(members) via a servlet from
our corporate db and would then like to set the Authorise header so that the
user can access a series of protected pages on our web site. I don't want to
authenticate with the web server because we have over 60K members. I really
only want to provide user authentication for member pages outside of my
application requiring lightweight protection, all of the data updates,
member data and ecommerce stuff happens via servlet and ssl.
Any suggestions appreciated.
Steve Irwin
Senior Web Developer
Stepsoft Pty Ltd
+61 2 62706580
>>> Jake Brain <[EMAIL PROTECTED]> 08/09 3:03 am >>>
I don't want Apache handle all authentication because that means the client
has to enter credentials in a pop up window, which does not look nice
compared to a nice log in page. But someone must know how to tell apache
this
client has authenticated. I am surpised there is no setAuthorization method
in servlet API. After reading the Oreilly book, I thought l could make login
servlet unprotected. If the user is valid, I could user URLConnection
which
has setRequestProperty ( to use for authentication). With UrlConn I set thte
authorization header, and read a protected file. But will Apache be duped
into thinking the Auth header from urlConn is the authHeader from the
client?
Any ideas.
In a message dated 8/8/00 11:10:29 AM Eastern Daylight Time,
[EMAIL PROTECTED] writes:
<< I would assume that the authentication is all or nothing. Why not
just have Apache handle the authentication, and grab the username from the
environment?
>>
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
