You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Michelle <mi...@onclave.com> on 2000/11/13 19:31:47 UTC

user authentication

I've been delving through the Tomcat archives and various guru site
out there, trying to piece together a sound approach to handling
user authentication and rights access.  I've seen some threads and
articles on using sessions, some references in the Tomcat archives
to JDBCRealm (which I cannot find anything more on), hooking into
databases .. etc.  I find I am a bit miffed and coming here looking
for some suggestions.

My site ....
> will have static and dynamic pages
> will contain both protected and unprotected areas
> in the protected areas, will require logins
> each user will be assigned a role for the protected area
    which grants access rights such as read, write, admin
    - yes, an ACL model

Any thoughts on the best approach?

> Should I use JDBCRealm (an can someone send me the link
   to docs please?)
> Should I use the session object to hold a URL to role access
    hash once a user logs?
> Should I spin my own (YIKES!)?

Experts - do you have any opinions?

Much much thanx in advance.

Michelle

Re: user authentication

Posted by Michelle <mi...@onclave.com>.

Thanx much for the quick response ... may I inquire further please?


: For our system, we're managing it all through sessions.  When the
person logs
: in, their login information is checked against a database object.
If it
: matches, they're logged in.  Otherwise, they're asked to provide a
correct
: login, or bugger off.
:
: After they're logged in, there is a user object associated with
their session
: (session.setAttribute( user, "user" )).
:
: It is through this user object that decides where they can access,
and what they
: can access.

Can to explain this further please - how do you manage the
url-user-role matrix in your user object?  Further, how do you do a
check in a timely fashion for every protected area of your site?

I was thinking of developing some sort of all encompassing "white
pages" for everyone and every url.  When a user logs in, I could
grab all data for that user from the white pages and stuff that info
into the session.  From then on in, for every protected page access,
I could validate the URL against the session data and not hit the
database.  Database updates for new users and roles could be handled
elsewhere.

In this scenario - I would role my own system.

Thanx much - Michelle

Re: user authentication

Posted by Daniel Bruce Lynes <dl...@home.com>.

On Mon, 13 Nov 2000, Michelle wrote:

> I've been delving through the Tomcat archives and various guru site
> out there, trying to piece together a sound approach to handling
> user authentication and rights access.  I've seen some threads and
> articles on using sessions, some references in the Tomcat archives
> to JDBCRealm (which I cannot find anything more on), hooking into
> databases .. etc.  I find I am a bit miffed and coming here looking
> for some suggestions.
> 
> My site ....
> > will have static and dynamic pages
> > will contain both protected and unprotected areas
> > in the protected areas, will require logins
> > each user will be assigned a role for the protected area
>     which grants access rights such as read, write, admin
>     - yes, an ACL model

For our system, we're managing it all through sessions.  When the person logs
in, their login information is checked against a database object.  If it
matches, they're logged in.  Otherwise, they're asked to provide a correct
login, or bugger off.

After they're logged in, there is a user object associated with their session
(session.setAttribute( user, "user" )).

It is through this user object that decides where they can access, and what they
can access.

> 
> Any thoughts on the best approach?
> 
> > Should I use JDBCRealm (an can someone send me the link
>    to docs please?)
> > Should I use the session object to hold a URL to role access
>     hash once a user logs?
> > Should I spin my own (YIKES!)?

That's what we chose to do.  However, we have very specific needs for our
project.  Perhaps you do not, for yours.  Perhaps you just want a UNIX-style ACL
system.  If that is the case, and you're not overly concerned about passwords
flying over the network, you might consider Apache access control files (if
you're using Apache), or whatever the similar item is for IIS.)

Daniel Lynes
eService System Corp.