aspose file tools*
The moose likes Servlets and the fly likes best practices for authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "best practices for authentication" Watch "best practices for authentication" New topic
Author

best practices for authentication

karl koch
Ranch Hand

Joined: May 25, 2001
Posts: 388
hi all
fir authentication, i could use a filter that checks if a User object is in the session already and if not redirect to the login page. this is authentication controlled on a single point, no tags needed in jsps and so on.
is this good technique or is it not recommended.
ive also heard about container based authentication. how would this work ?
thanks and merry x-mas
karl
Michael Mendelson
Ranch Hand

Joined: Dec 19, 2000
Posts: 73
OK, here's my latest take on it:
Valves/filters may be used for authentication, but Realms seem to be designed for it.
Valves/filters are newer than Realms, and are a bit more flexible. For example, you can use them for post-processing (AFTER the page executes).
My suggestion (if you can be flexible and just needs something simple) is to use the JDBCRealm that's "out of the box."
It's sort of a confusing issue because there's a lot of overlap in functionality.
If you're interested in understanding Valves a little better, my suggestion is to take a look at RequestFilterValve (and its subclasses, RemoteAddrValve and RemoteHostValve). These are pre-written filters whose use is explained at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/valve.html. They give you an example of how filters work, BUT the problem I have with them is that they rely on information in the server.xml file. Changing it will require a re-start, which might be inappropriate in a production environment.
[ December 25, 2002: Message edited by: Michael Mendelson ]
karl koch
Ranch Hand

Joined: May 25, 2001
Posts: 388
hi micheal
are valves part of the specs or tomcat specific ?
if they are tomcat specific i wont be able to use them (we develop on tomcat but...who knows what the app will run on in a production environment ?)
what about form based auth ? is it secure if the login page is on SSL and the rest on unsecured HTTP ?
or do i just add a filter, check for a specific object in the session and redirect to login page if not present ?
karl
 
jQuery in Action, 2nd edition
 
subject: best practices for authentication