aspose file tools*
The moose likes Servlets and the fly likes Authorization using Servlets Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Authorization using Servlets" Watch "Authorization using Servlets" New topic
Author

Authorization using Servlets

Tarun Oohri
Ranch Hand

Joined: Feb 20, 2013
Posts: 178
Hi everyone

I am making a project in which i want a separate welcome page for group of users. I know i have to use the "IsUserInRole" concept. But wherever i search i just get a spinet of the xml (<security-role-mapping>).
Can anybody give me a proto-type example of how to implement it actually.

Thanks in Advance!!!
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16240
    
  21

A user can have more than one security role, so that isn't a good key to select a welcome/home page. Also, you should be aware that when the webapp-controlled login processes, it doesn't automatically direct one to a "welcome page", it directs one to whatever page was requested that required the login. Which is actually better if you like to "favorite" secured pages, since it allows the user to go directly to what's needed.

Probably a better way to select a welcome page is to maintain a list (for example, a database table) that associates a user with a particular welcome page (as well as any other general user-specific characteristics you might want). The welcome page could then select content based on a lookup of this information.

As I said, selection of a welcome page is not automatic, so this assumes that either the user has been directed to go to a secured home page or that you have added login-detection logic that will override the normal operation and redirect to a welcome page (at which time you can select which page to redirect to using the above tactic). There is no specific J2EE "login event" that can be listened to, since in cases with Single Signon, login might occur external to the webapp, but the next best thing is to look for changes in the HttpServletRequest getRemoteUser() in a ServletListener.


Customer surveys are for companies who didn't pay proper attention to begin with.
Tarun Oohri
Ranch Hand

Joined: Feb 20, 2013
Posts: 178
Thanks Tim for your valuable comments. I have just got a spinet related to programmatic security in web applications. I have never implemented security in my application....The code is as follows :


I am not able to understand its concept fully...The foremost question is how will we assign a particular "username" to its corresponding " role "...

"IsUserInRole" method is understandable but where is the information to be stored which can tell that this set of users will have that type of roles.

I hope i am able to put my question clearly ... Thanks !!
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42608
    
  65
That depends on the servlet container you're using. For Tomcat, the options are describe here: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html


Ping & DNS - my free Android networking tools app
Tarun Oohri
Ranch Hand

Joined: Feb 20, 2013
Posts: 178
Ulf Dittmer wrote:That depends on the servlet container you're using. For Tomcat, the options are describe here: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html


Thanks Ulf Dittmer ..
Tarun Oohri
Ranch Hand

Joined: Feb 20, 2013
Posts: 178
Tarun Oohri wrote:
Ulf Dittmer wrote:That depends on the servlet container you're using. For Tomcat, the options are describe here: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html


Thanks Ulf Dittmer ..but Isn't it a tedious task to write all the users in the tomcat server file. Say, if we have a million users then we have to do billion entries in the server file and assign their roles...Any other alternative to this ?
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16240
    
  21

A Realm is a plugin component that (usually) references a security role and credential database.

The term "database" here is very abstract, since the actual information may be accessed by just about any mechanism you can think of, including LDAP, web services, data files (such as tomcat-users.xml), and DBMS's.

DBMS's and Active Directory/LDAP are the most common ways, but I've done web service interfaces and even written custom Realm modules of my own.
 
wood burning stoves
 
subject: Authorization using Servlets