Subject: Re: More flexible JDBCRealm implementation 1 2 3 4 5 6 7 8 9 (for ASP-style webapp) From: "Vic C." <[EMAIL PROTECTED]> === I was just thinking of a design I did for ASP model:
Create a dispatch web app with single sign on (over multiple apps) Say you have 4 clients, that is 4 virtual hosts, plus one dispatch host. When people login in, they go to distpach and login in via JDBC relms to the dispatch web, they login with their e-mail or something. Once autethicated, you create a bean that find out what web app they should go to based org_id. And then each action (retrieve or update) appends org_id to db tables. It worked. So JAAS up front, and a bean and action in the back. I could write up an implementation..... one day. Vic Soefara Redzuan wrote: > Thank you for the reply Vic. > >> From: "Vic C." <[EMAIL PROTECTED]> >> That is a frequent need. >> >> What is needed is the concept of "organization", a 3rd field in every db >> table. > > > Yes, I've done something like that too. But have therefore found that > the Tomcat out-the-box JDBCRealm setup (using server.xml, web.xml as I > described below) is not flexible in any way. > > So it looks like I too will have to use a manual authentication which > I had hoped to avoid in the name of standardization. Oh well. > >> I know how to manualy code (using getuserpricipal and a bean) but >> nothing automatic I can think of. > > > Why use getUserPrincipal ? > I thought we were supposed to use request.getRemoteUser() ? > > Also, may I ask by what you mean "a bean" for this ? > I really like to design code (including Javabeans) so that they > will run in standalone applications, as well as in the servlet > container environment. Is it possible to design an authentication > mechanism that is not dependent upon the servlet container (eg. Tomcat) ? > > Soefara. > > > > >> Vic >> >> Soefara Redzuan wrote: >> > I've setup a JDBCRealm for Tomcat using MySQL. It works OK >> > but the database schema is not good for an ASP (application >> > service provider) model. For example, I would like several >> > companies to use the same webapp (each company should not >> > know of the other's existence) and each should be able to >> > create a user 'admin' and a user 'david' but in the way that >> > JDBCRealm is currently configured only one instance of any >> > user name is possible since it is the primary key in the users >> > table. Is there a better way to do this ? >> > >> > I followed instructions found on many websites for setting up >> > a JDBCRealm. >> > >> > The table schema is >> > >> > create table user_groups ( >> > group_id int not null auto_increment, >> > group_name char(24), >> > parent_id int not null default -1, >> > primary key(group_id) >> > ); >> > >> > create table users ( >> > user_name varchar(32) not null, >> > user_pass varchar(32) not null, >> > user_groupid int not null default -1, >> > primary key(user_name) >> > ); >> > >> > create table user_roles ( >> > user_name varchar(15) not null, >> > role_name varchar(15) not null, >> > primary key (user_name, role_name) >> > ); >> > >> > And in Tomcat's server.xml I have this in the appropriate context, >> > >> > <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99" >> > driverName="org.gjt.mm.mysql.Driver" >> > connectionURL="jdbc:mysql://servername/databasename" >> > userTable="users" userNameCol="user_name" userCredCol="user_pass" >> > userRoleTable="user_roles" roleNameCol="role_name"/> >> > >> > And finally this in the webapp's web.xml, >> > >> > <security-constraint> >> > <web-resource-collection> >> > <web-resource-name>ProtectedApp</web-resource-name> >> > <url-pattern>/*</url-pattern> >> > <http-method>POST</http-method> >> > <http-method>GET</http-method> >> > </web-resource-collection> >> > <auth-constraint> >> > <description>name the security roles that are allowed to >> > access</description> >> > <role-name>administrator</role-name> >> > <role-name>user</role-name> >> > </auth-constraint> >> > </security-constraint> >> > >> > The alternative is to set up a separate webapp for each >> > company that wishes to use our service but that really isn't >> > scalable and doesn't allow for users to self-register and >> > be up-and-running without administrator intervention. >> > >> > Has anybody solved this problem ? Thank you in advance, >> > >> > Soefara. >> > > > > _________________________________________________________________ > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>