Authentication Pattern

[Renato Romano <r....@set-network.com>]

I would like some clarifications about handling authentication in a
webapp:

it seems to me the simplest way to authenticate users is using form base
auth, in conjunction with declarative security (declaring
resources/roles in web.xml); the main problem with this approach in my
opinion is handling several login pages, for example; moreover, in order
to allow authentication to be performed on the home page, you need to
"force" the client to make a request to a protected page (correct??!!),
which seems not so clean!! 
I read something about JAAS, but didn't understand, for example, once
logged in what should be done with the Subject object obtained after the
login process!!! Following requests are automatically recognized coming
from an authenticated user, as with normal form based auth ?? I'm a
little confused about all this stuff... The main goals I have are:

Allow login from the home page
Allow login from several pages (I can specify only one login page in
web.xml !) Make all this in a clean way (for example not redirecting the
user to a reserved page for making tomcat present the login page !!)

Thanks everyone
Renato

____________________________________
Renato Romano
Sistemi e Telematica S.p.A.
Calata Grazie - Vial Al Molo Giano
16127 - GENOVA

e-mail: r.romano@set-network.com
Tel.:   010 2712603
_____________________________________




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Authentication Pattern

[Adam Hardy <ah...@cyberspaceroad.com>]

On 12/15/2003 06:05 PM Renato Romano wrote:
> it seems to me the simplest way to authenticate users is using form base
> auth, in conjunction with declarative security (declaring
> resources/roles in web.xml); the main problem with this approach in my
> opinion is handling several login pages, for example; moreover, in order
> to allow authentication to be performed on the home page, you need to
> "force" the client to make a request to a protected page (correct??!!),
> which seems not so clean!! 

Whether it's not clean is a point of view: from another point of view, 
why should someone login on your home page when you have decided not to 
protect it?

> I read something about JAAS, but didn't understand, for example, once
> logged in what should be done with the Subject object obtained after the
> login process!!! Following requests are automatically recognized coming
> from an authenticated user, as with normal form based auth ?? I'm a
> little confused about all this stuff... The main goals I have are:

In your JAAS code you just give it to the container. The container does 
what it has to with it. It's not a problem. But in the appservers I have 
used (er well just tomcat) you don't get to see your Subject again. You 
can query methods on the request object to find out about it, but that's 
it.

> Allow login from the home page

Only circuitously as you have guessed.

> Allow login from several pages (I can specify only one login page in
> web.xml !) Make all this in a clean way (for example not redirecting the
> user to a reserved page for making tomcat present the login page !!)

Basically your idea of a clean way is ruling out the possibilities. 
People do make use of CMS, but when they need the features you need, 
they all end up using redirects.

Adam

-- 
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org