We are creating a web-application which uses user profile data from an
LDAP server.
We would like to use container managed authentication, since this makes
a lot things easier. We also want to connections to the LDAP server
authenticated with the current users credentials, as this server
contains potential sensitive data, as opposed to normal jdbc
connections, where one most often uses credentials with
super-priviledges.
This poses some problems, and I am interested in hearing comments on our
approach.
We have created a resource factory that gives us connections to the LDAP
server, authenticated with the credentials given when the connection is
retrieved.
If we want to use container managed persistence however, we do not have
this information, since the realm impl. used by the servlet engine is
the only piece of code that sees that information.
We could (since our initial approach uses tomcat 4.0dev) implement our
own realm impl., which could work with the resource factory to return
the correct authenticated connections to a given running session. This
does not work however, since the realm lives inside a different
classloader from the web-application.
FYI, we specify our resource factory using tomcat specific
<resource></resource> which works very nicely. We can retrieve the
resource factory by doing eg. initCtx.lookup("jndi/connectionPool");
So I ask, what is the "right way" of threating login credentials and
resource factories that need such information?
If my information is correct, IPlanet is the only application server
that can do the stuff described above out of the box.
--
- Torgeir
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
