hi all fir authentication, i could use a filter that checks if a User object is in the session already and if not redirect to the login page. this is authentication controlled on a single point, no tags needed in jsps and so on. is this good technique or is it not recommended. ive also heard about container based authentication. how would this work ? thanks and merry x-mas karl
Michael Mendelson
Ranch Hand
Joined: Dec 19, 2000
Posts: 73
posted
0
OK, here's my latest take on it: Valves/filters may be used for authentication, but Realms seem to be designed for it. Valves/filters are newer than Realms, and are a bit more flexible. For example, you can use them for post-processing (AFTER the page executes). My suggestion (if you can be flexible and just needs something simple) is to use the JDBCRealm that's "out of the box." It's sort of a confusing issue because there's a lot of overlap in functionality. If you're interested in understanding Valves a little better, my suggestion is to take a look at RequestFilterValve (and its subclasses, RemoteAddrValve and RemoteHostValve). These are pre-written filters whose use is explained at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/valve.html. They give you an example of how filters work, BUT the problem I have with them is that they rely on information in the server.xml file. Changing it will require a re-start, which might be inappropriate in a production environment. [ December 25, 2002: Message edited by: Michael Mendelson ]
karl koch
Ranch Hand
Joined: May 25, 2001
Posts: 388
posted
0
hi micheal are valves part of the specs or tomcat specific ? if they are tomcat specific i wont be able to use them (we develop on tomcat but...who knows what the app will run on in a production environment ?) what about form based auth ? is it secure if the login page is on SSL and the rest on unsecured HTTP ? or do i just add a filter, check for a specific object in the session and redirect to login page if not present ? karl
0
