wood burning stoves 2.0*
The moose likes Servlets and the fly likes What Is The Proper Design - Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "What Is The Proper Design - Security" Watch "What Is The Proper Design - Security" New topic
Author

What Is The Proper Design - Security

JiaPei Jen
Ranch Hand

Joined: Nov 19, 2000
Posts: 1309
I am working on a web application. Registered members of the web site fall into mutually exclusive four different roles - contributor, editor, advisor, and administrator.
The number of contributors could be hundreds and they are directed to Page C and go forward from there.
The number of editors would be less than 15 and they are directed to Page E and go forward from there.
The number of advisors would be less than 5 and they are directed tp Page A and go forward from there.
There are a couple of administrators and there is no restriction for them to access the resources.
All registered members are kept in a database. The database has their name, password, role, etc.
My questions is regarding the security checking when a member submits the LOGON form:
Should I read in the logon information, check against the database, get his/her role from the database, and direct him/her to the proper web page?
Or
Should I use the <security-constraint> <login-config> and <security-role> tags in the web.xml?
I am confused. Please help to clarify my thoughts.
Eelco den Heijer
Ranch Hand

Joined: Jan 17, 2002
Posts: 61
You should implement a custom authentication module that authenticates the user against the user database. The same goes for the role mapping: you should create a custom role mapper. In the web.xml you should indeed assign roles to resources, but the actual authentication, and the actual role mapping (user X has role Y, or roles A,B,C) should be built custom. Exactly how depends on your container. Maybe your container already has custom implementations for DB authentication and role mapping, maybe not. You are not the first with this problem, so look around :-)


== <br />Rgrds,<br />Eelco<br /> <br />SCJP, SCJD, SCBCD, SCWD, SCEA
JiaPei Jen
Ranch Hand

Joined: Nov 19, 2000
Posts: 1309
I am using the Tomcat. This is my first project. Therefore, I really need guidance.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: What Is The Proper Design - Security