• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

best practices for authentication

 
karl koch
Ranch Hand
Posts: 388
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi all
fir authentication, i could use a filter that checks if a User object is in the session already and if not redirect to the login page. this is authentication controlled on a single point, no tags needed in jsps and so on.
is this good technique or is it not recommended.
ive also heard about container based authentication. how would this work ?
thanks and merry x-mas
karl
 
Michael Mendelson
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
OK, here's my latest take on it:
Valves/filters may be used for authentication, but Realms seem to be designed for it.
Valves/filters are newer than Realms, and are a bit more flexible. For example, you can use them for post-processing (AFTER the page executes).
My suggestion (if you can be flexible and just needs something simple) is to use the JDBCRealm that's "out of the box."
It's sort of a confusing issue because there's a lot of overlap in functionality.
If you're interested in understanding Valves a little better, my suggestion is to take a look at RequestFilterValve (and its subclasses, RemoteAddrValve and RemoteHostValve). These are pre-written filters whose use is explained at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/valve.html. They give you an example of how filters work, BUT the problem I have with them is that they rely on information in the server.xml file. Changing it will require a re-start, which might be inappropriate in a production environment.
[ December 25, 2002: Message edited by: Michael Mendelson ]
 
karl koch
Ranch Hand
Posts: 388
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi micheal
are valves part of the specs or tomcat specific ?
if they are tomcat specific i wont be able to use them (we develop on tomcat but...who knows what the app will run on in a production environment ?)
what about form based auth ? is it secure if the login page is on SSL and the rest on unsecured HTTP ?
or do i just add a filter, check for a specific object in the session and redirect to login page if not present ?
karl
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic