• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

best practices for authentication

 
Ranch Hand
Posts: 388
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi all
fir authentication, i could use a filter that checks if a User object is in the session already and if not redirect to the login page. this is authentication controlled on a single point, no tags needed in jsps and so on.
is this good technique or is it not recommended.
ive also heard about container based authentication. how would this work ?
thanks and merry x-mas
karl
 
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK, here's my latest take on it:
Valves/filters may be used for authentication, but Realms seem to be designed for it.
Valves/filters are newer than Realms, and are a bit more flexible. For example, you can use them for post-processing (AFTER the page executes).
My suggestion (if you can be flexible and just needs something simple) is to use the JDBCRealm that's "out of the box."
It's sort of a confusing issue because there's a lot of overlap in functionality.
If you're interested in understanding Valves a little better, my suggestion is to take a look at RequestFilterValve (and its subclasses, RemoteAddrValve and RemoteHostValve). These are pre-written filters whose use is explained at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/valve.html. They give you an example of how filters work, BUT the problem I have with them is that they rely on information in the server.xml file. Changing it will require a re-start, which might be inappropriate in a production environment.
[ December 25, 2002: Message edited by: Michael Mendelson ]
 
karl koch
Ranch Hand
Posts: 388
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi micheal
are valves part of the specs or tomcat specific ?
if they are tomcat specific i wont be able to use them (we develop on tomcat but...who knows what the app will run on in a production environment ?)
what about form based auth ? is it secure if the login page is on SSL and the rest on unsecured HTTP ?
or do i just add a filter, check for a specific object in the session and redirect to login page if not present ?
karl
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic