I have used the <security-constraint> tags and just started to use realms with a database in Tomcat (thanks for the link again Ben Souther) to allow certain users to view certain pages.
But what if I only want a user to be authenticated once, and for the rest of the session the user can access all pages he is authorized to view without having to be authenticated each time.
How are declarative and programmatic security typically used in these situations?
This is what I was thinking:
The first time a user logs in from the login page, the username/password as well as the authentication method that is declared in the <security-constraints> sections of the DD is used.
Once the user has been authenticated the first time (a correct username/password combo) I set a Boolean variable
in a session object to true.
Then for all other pages that require authentication, I just check the session object to see if the attribute value is set to true. If it is (and the user is logged in) I display the appropriate info, otherwise I display a message for the user to go log in.
I'm just curious as to how such cases are typically handled and if there is a more secure(or proper) way to handle this.
Thanks for taking the time to read my question.
Any thoughts or suggestions would be much appreciated.
[ May 19, 2008: Message edited by: al langley ]