Win a copy of Escape Velocity: Better Metrics for Agile Teams this week in the Agile and Other Processes forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Paul Clapham
  • Jeanne Boyarsky
Sheriffs:
  • Ron McLeod
  • Frank Carver
  • Junilu Lacar
Saloon Keepers:
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Al Hobbs
  • Carey Brown
Bartenders:
  • Piet Souris
  • Frits Walraven
  • fred rosenberger

Serving content based on authenticated roles

 
Ranch Hand
Posts: 226
1
jQuery Postgres Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi

I would like my users to authenticate (username/password) from the home page (index.html), or one click from the home page to use SSL. When the user is authenticated I would like the server to look up the user's role in a role table and serve them with content spedific to that role (or to send them to a session based role selector page if they have more than one role).

I'm considering Container Managed Security (CMS) using form-based authentication with DataSourceRealm and SSL on the server side.

However, when using CMS the user is directed to the form-login-page only when the user tries to access a constrained resource or servlet. So CMS acts more like a hurdle, while I would like it act a little more proactively.

Any clues on how on how I can get a user to authenticate before they try to access a constrained resource, and then serve them content based on their authentication details? (Using Ajax would be prefered).

Thanks

Marten





 
Ranch Hand
Posts: 558
2
Hibernate Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

marten kay wrote:Hi

I would like my users to authenticate (username/password) from the home page (index.html), or one click from the home page to use SSL. When the user is authenticated I would like the server to look up the user's role in a role table and serve them with content spedific to that role (or to send them to a session based role selector page if they have more than one role).

I'm considering Container Managed Security (CMS) using form-based authentication with DataSourceRealm and SSL on the server side.

However, when using CMS the user is directed to the form-login-page only when the user tries to access a constrained resource or servlet. So CMS acts more like a hurdle, while I would like it act a little more proactively.

Any clues on how on how I can get a user to authenticate before they try to access a constrained resource, and then serve them content based on their authentication details? (Using Ajax would be prefered).

Thanks

Marten



Marten, how is your security constraint defined in web.xml. I mean to ask what are the resources in your webapp, you are constraining.
 
marten koomen
Ranch Hand
Posts: 226
1
jQuery Postgres Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Hi Kumar

I am still in the design stages, so I can't give my web.xml example at the moment. However the scenario is this, the application is for teachers testing students so whenever a teacher logs in the page they see must be different to when the student logs in, and when the student logs in they should not be able to access the teacher's servlets or jsps.

My current thinking is to implement authentication myself and to have all requests to the app come through one servlet that authenticates (when details entered by user from index.jsp) and then based on roles found during authentication the request is delegated to an object to process the request. For future requests, the request would come through the same single servlet where the authority for the user is checked before delegating the request to an object to process. This seems simple enough to do, but I'm not too sure if it's a good idea to implement all security myself.

Marten

 
Won't you please? Please won't you be my neighbor? - Fred Rogers. Tiny ad:
the value of filler advertising in 2021
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic