There are definitely some issues involved here. If you are working on a company site that will restrict access of the site to a list of people that is managed separately (ie the HR department or IT department adds a person as a user who is allowed to access the site), container managed security is for you.
If you are working on a site that you want to allow visitors to create profiles / logins on the fly, stick with your existing session key system. The 'key' reason is this: The servlet API provides no access to login mechanism - you cannot programmatically log a user in. So if you direct a user to a 'create new login' page, you have no way to cause the user to be logged in after they have finished creating the login. You can have your user's create a profile on one page, save the results to your security db, then have the user login on another page that posts to j_security_check, but there is no way to do it in one step - very confusing for casual visitors. One nice feature of the 2.3 spec is filters, which to some degree will allow you to extend you session key security to behave *similarly* to the declarative security of the CMA. By that I mean that by using a filter, you can configure the security in the web.xml file, rather then having to add tags or other logic to pages in order to protect them. Best of luck, Eric Everman At 03:12 PM 6/7/2002, you wrote: >Hi Eric, >Thank you for verifying that. I've actually made my own authentication >before but when I read about container-managed authentication I realised >that that was exactly what I was looking for. > >Is there any reason for keeping the users login as a session attribute or >is it better to use request.getRemoteUser() ? What's the praxis? > > >Markus > > >On fredag, juni 7, 2002, at 09:12 , Eric Everman wrote: > >>Prior to the Servlet 2.3 spec, it was ambiguous as to when a client was >>no longer logged in. The 2.3 servlet spec states that a client is logged >>out when their session is invalidated. So if Tomcat works as advertised, >>session.invalidate() should do what you expect. >> >>Eric Everman >> >>At 12:49 PM 6/7/2002, you wrote: >>>Hi, >>>I use a JDBC Realm with FORM based authentication but haven't figured >>>out a way for users to log out. Is it just to call session.invalidate() >>>or is there any better way to do it? > > >-- >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
