The login facilities defined in the Servlet 2.2 spec are good and
the implementations of this are probably more robust than what
most people would typically write themselves. However, there are
a few limitations if you use it:
(1) All of your pages will be protected with this.
Don't you have a few 'free' pages that will not require authentication?
Most other apps do too. These would have to be moved to a separate
web app that doesn't require authentication.
(2) Most implementations will do a simple check of user identity and
password. What if you have a concept of a user being suspended?
Say, if a user is not up to date with their dues. You do not want
to delete their account but you do not want to let them in this time
either. Most implementations do not allow for a call back of
custom defined functions. Another situation where this is required
is if you want to limit repeated unsuccessful login attempts.
(3) What if a user forgets their password? Many applications allow for
user defined challenge responses (What is your favorite color?) for
alternate authentication. The spec doesn't allow for this.
Some servlet engine have implementations of the servlet 2.2
authentication
facilities such as LDAP realm, database realm, NT, etc authentication.
If the
limitations listed do not matter to you then you and you are using a
servlet
engine with these facilities then would be much better off using them
than
cooking up your own code for it.
-----Original Message-----
From: Costin [mailto:[EMAIL PROTECTED]]
Sent: Saturday, June 16, 2001 1:35 PM
To: [EMAIL PROTECTED]
Subject: Login-procedure
Hello!
I've noticed some talk lately about login methods and I have a
little
question about implementing a servlet to do such a job. I know that j2ee
provides some services for authentication and authorization.I've tried
working with these services on the j2ee server and it 'seems' to behave
ok.Also the servlet container also 'seems' to be doing well when
requesting
un-authorized pages. Can anybody tell me what method is best - a
servlet
that does the job or the services provided by j2ee.
I'm trying to do a servlet for some web site accessible only to
signed
members. There should be a login page, some free pages to browse and
some
cool pages viewable only by those who have membership. What is the best
approach?
Thanks in advance,
Costin
---
ROL!ro free mail - http://mail.rol.ro
Spatiu nelimitat pentru contul tau si acces gratuit prin dial-up!
________________________________________________________________________
___
To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
