File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
Win a copy of Soft Skills: The software developer's life manual this week in the Jobs Discussion forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

What Is The Proper Design - Security

 
JiaPei Jen
Ranch Hand
Posts: 1309
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am working on a web application. Registered members of the web site fall into mutually exclusive four different roles - contributor, editor, advisor, and administrator.
The number of contributors could be hundreds and they are directed to Page C and go forward from there.
The number of editors would be less than 15 and they are directed to Page E and go forward from there.
The number of advisors would be less than 5 and they are directed tp Page A and go forward from there.
There are a couple of administrators and there is no restriction for them to access the resources.
All registered members are kept in a database. The database has their name, password, role, etc.
My questions is regarding the security checking when a member submits the LOGON form:
Should I read in the logon information, check against the database, get his/her role from the database, and direct him/her to the proper web page?
Or
Should I use the <security-constraint> <login-config> and <security-role> tags in the web.xml?
I am confused. Please help to clarify my thoughts.
 
Eelco den Heijer
Ranch Hand
Posts: 61
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You should implement a custom authentication module that authenticates the user against the user database. The same goes for the role mapping: you should create a custom role mapper. In the web.xml you should indeed assign roles to resources, but the actual authentication, and the actual role mapping (user X has role Y, or roles A,B,C) should be built custom. Exactly how depends on your container. Maybe your container already has custom implementations for DB authentication and role mapping, maybe not. You are not the first with this problem, so look around :-)
 
JiaPei Jen
Ranch Hand
Posts: 1309
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am using the Tomcat. This is my first project. Therefore, I really need guidance.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic