From: Thomas Soddemann <[EMAIL PROTECTED]>
Date: Thu, 20 Jul 2006 13:57:42 -0600
Andrew Stevens wrote:
Another possibility - you could always use the J2EE container-provided
security and add a security-constraint to your web.xml for
<url-pattern>/buildindex</url-pattern>. That might be simpler than
learning the authentication framework or acegi if don't need to
authenticate users in the rest of your site.
Hi Andrew,
what do you mean by "if [you] don't need to authenticate ..."?
Only that if you did have such a need, then for a full-blown authentication
& authorisation solution the other mechanisms generally get mentioned here
on the lists in preference to the J2EE security; if you didn't have that
requirement, the standard J2EE mechanism may be quicker to get up & running
than learning some other new method. Of course, if you're using
authentication on the rest of your site anyway, you could just use that
mechanism to restrict the buildindex page to your own account.
The remoteUser property is set in the HttpRequest if a user is
authenticated and can e.g. be used for authorization (apart from the
configurational authorization you have already mentioned).
It may depend on the container you're using, but in general I've found that
even after logging in getRemoteUser returns null unless it's a request for a
protected page (i.e. it's covered by a security constraint) in which case
you'll probably have a role specified anyway.
Depending on the security modul employed, additional informations are
"shipped" with each HttpRequest or set in the session.
Thomas
Andrew.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
