This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
I have used the <security-constraint> tags and just started to use realms with a database in Tomcat (thanks for the link again Ben Souther) to allow certain users to view certain pages. But what if I only want a user to be authenticated once, and for the rest of the session the user can access all pages he is authorized to view without having to be authenticated each time.
How are declarative and programmatic security typically used in these situations?
This is what I was thinking: The first time a user logs in from the login page, the username/password as well as the authentication method that is declared in the <security-constraints> sections of the DD is used.
Once the user has been authenticated the first time (a correct username/password combo) I set a Boolean variable in a session object to true.
Then for all other pages that require authentication, I just check the session object to see if the attribute value is set to true. If it is (and the user is logged in) I display the appropriate info, otherwise I display a message for the user to go log in.
I'm just curious as to how such cases are typically handled and if there is a more secure(or proper) way to handle this. Thanks for taking the time to read my question. Any thoughts or suggestions would be much appreciated. [ May 19, 2008: Message edited by: al langley ]
If you're using declarative security you don't need to do anything in your code - the servlet container will handle it (and it won't ask a user for the password more than once per session).
But you're talking about doing something in your code - that sounds as if you're actually doing programmatic security? The two don't mix well. I rarely use declarative security these days, because it's rather inflexible.
Joined: Mar 28, 2008
Thanks for the response!
I have a situation where I have pages that only authorized users should be able to see. I think the scenarios are simple enough to be covered by declarative security. But I was wondering what factors I should look at.
I'd like to learn more about security and how it is typically handled when it comes to servlets and web apps in general. Anyone know a good book, or link?