Re: Question working with security realms

Fri, 24 Aug 2001 11:55:46 -0700 



On Fri, 24 Aug 2001, Roland wrote:

> Date: Fri, 24 Aug 2001 15:27:22 -0300
> From: Roland <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: Question working with security realms
>
> > Using container managed security means you should *not* do your own
> > application-managed security -- it's an either/or thing.  You should
> > design your app so that you use one or the other, but not both.
> >
> Yes, sure, but my question is, how can I forward the user from the container
> security to my application, after he has logged on. This is because my
> application needs to know which user is logged on and adjust its behaviour
> accordingly!
>

You don't have to do any "forwarding".  Consider the various login methods
that might be in use, and assume that the user just requested a protected
resource for the first time:

* BASIC and DIGEST:  The browser will pop up the login dialog.  Once the
  user authenticates correctly, the original request will be honored.

* FORM BASED:  The container will save the original request and display
  the form login page.  After you type in your username and password and
  press submit, the container will automatically return the user to
  the original request.

* CLIENT-CERT:  You will be asked which or your client certificates should
  be sent to the server.  Once it's checked, the original request
  will be honored.

As for how your application can adjust its behavior, look at the javadocs
for HttpServletRequest.getRemoteUser(),
HttpServletRequest.getUserPrincipal(), and
HttpServletRequest.isUserInRole().  These calls can be used to vary the
application's behavior based on who the user is, or what roles they have.
For example, it's real easy to add some extra menu options for a manager:

  out.println("... HTML for the menu options everyone sees ...");
  if (request.isUserInRole("manager"))
    out.println("... HTML for extra options just for managers ...");

You can experiment with container managed security using the example app.
Just start Tomcat and try to access:

  http://localhost:8080/examples/jsp/security/protected/index.jsp

and you can look at the code there.  You will see that there is absolutely
nothing in the protected page itself that worries about login, because
that is what the container is doing for you.

> Thanks Roland

Craig

Reply via email to