I want to use container-managed security for authentication and authorization. I have read the correspondance from this group on the subject. My question is once the customer has entered the userid/password and been authenticated, how can I store the customer profile in the customer's http session? For example, the RDB realm in Tomcat does not have access to the Http session of a given user. I want to at least be able to store some kind of id which identifies the user in the user's session.
If you are not having having Session, then other ways would be to have hidden variables, cookies and URL rewriting. These three methods are unsecure though. You could write some code to encode the password while storing it as a cookie or sending it across pages as hidden variables and also in URL rewriting. This may not be a good idea in big applications.
Joined: Feb 23, 2006
Thanks for the replies. I am using form-based login and tomcat. I just thought of a way...once the customer has been authenticated, to get the customer profile data, I can use: request.getUserPrincipal() to get the user name and then use it to look up the customer's profile data.