File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes best practices for authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "best practices for authentication" Watch "best practices for authentication" New topic

best practices for authentication

karl koch
Ranch Hand

Joined: May 25, 2001
Posts: 388
hi all
fir authentication, i could use a filter that checks if a User object is in the session already and if not redirect to the login page. this is authentication controlled on a single point, no tags needed in jsps and so on.
is this good technique or is it not recommended.
ive also heard about container based authentication. how would this work ?
thanks and merry x-mas
Michael Mendelson
Ranch Hand

Joined: Dec 19, 2000
Posts: 73
OK, here's my latest take on it:
Valves/filters may be used for authentication, but Realms seem to be designed for it.
Valves/filters are newer than Realms, and are a bit more flexible. For example, you can use them for post-processing (AFTER the page executes).
My suggestion (if you can be flexible and just needs something simple) is to use the JDBCRealm that's "out of the box."
It's sort of a confusing issue because there's a lot of overlap in functionality.
If you're interested in understanding Valves a little better, my suggestion is to take a look at RequestFilterValve (and its subclasses, RemoteAddrValve and RemoteHostValve). These are pre-written filters whose use is explained at They give you an example of how filters work, BUT the problem I have with them is that they rely on information in the server.xml file. Changing it will require a re-start, which might be inappropriate in a production environment.
[ December 25, 2002: Message edited by: Michael Mendelson ]
karl koch
Ranch Hand

Joined: May 25, 2001
Posts: 388
hi micheal
are valves part of the specs or tomcat specific ?
if they are tomcat specific i wont be able to use them (we develop on tomcat but...who knows what the app will run on in a production environment ?)
what about form based auth ? is it secure if the login page is on SSL and the rest on unsecured HTTP ?
or do i just add a filter, check for a specific object in the session and redirect to login page if not present ?
I agree. Here's the link:
subject: best practices for authentication
It's not a secret anymore!