Authenticating to servlet

[Ike]

If I have a servlet, which handles requests from an Applet, to access a
database via jdbc, I have the servlet authenticate to the database. I also
have the applet authenticate to the servlet.

As I understand it, this is the standard way of doing things.

HOWEVER, in order for the applet to authenticate to the servlet, the servlet
must lookup the applet's username/password with each request to the servlet,
yes? Is there a way to avoid that? I am using connection pooling in my
servlet, and am hoping - looking for a means whereby - the applet can
authetnticate to the servlet only one time when the applet is invoked.

How do you typically do this? Thanks, Ike

 

[Wendy S]

If I have a servlet, which handles requests from an Applet, to access a
database via jdbc, I have the servlet authenticate to the database. I also
have the applet authenticate to the servlet.
HOWEVER, in order for the applet to authenticate to the servlet, the servlet
must lookup the applet's username/password with each request to the servlet,
yes? Is there a way to avoid that? I am using connection pooling in my
servlet, and am hoping - looking for a means whereby - the applet can
authetnticate to the servlet only one time when the applet is invoked.
How do you typically do this? Thanks, Ike

I don't do applets, but I don't see how it's any different from a user
authenticating at the beginning of a session. I put an object in the
session and check for it at the beginning of each request. If I find the
object, then I let them in, if not, I redirect to a login page. Instead of
redirecting to login, you would presumably do this lookup of the applet's
username/password that you mention.

I don't see what that has to do with connection pooling, though.

 

[Wendy S]

I don't do applets, but I don't see how it's any different from a user
authenticating at the beginning of a session.

Hmmm.... well, on second thought, how are you going to identify the
"session" for request coming from an applet? Never mind, then...

 

[Ike]

Yes.....I thought (mistakenly perhaps) that typically people assigned a
connection object with a login. I guess not though. Perhaps I can obtain a
session object, passing it via php or jsp as a parameter to the applet
(ugh)......there must be an easier way?

-Ike

 

[Wendy S]

Yes.....I thought (mistakenly perhaps) that typically people assigned a
connection object with a login. I guess not though. Perhaps I can obtain a
session object, passing it via php or jsp as a parameter to the applet
(ugh)......there must be an easier way?

Not me, I grab connections and throw them away as soon as I'm done with
them. Holding connections open for long periods of time isn't appealing to
me.

I don't know enough about how sessions are created and stored in Tomcat to
be able to advise, but I bet you can get the session ID and pass it to the
applet. From what I've seen, (and I have no idea if this would work,) you
might be able to tag it on the end of the URL with
;jsessionid=aldjf89623865 and Tomcat will pick that up and "know" what
session the request belongs to.

Play around with Tomcat sessions with your browser, you'll see the
jsessionid get appended to the URL on the first request (and IIRC
subsequent requests as well if you don't have cookies enabled). So the
applet could just behave like a non-cookie-enabled browser. Tomcat isn't
going to know the difference, all it sees is a request.

The applet/servlet communication I'm talking about here is over HTTP. You
can send pretty much anything over HTTP, even serialized objects. So when
you talk about passing the session id as a parameter, I would not do that.
I would have the applet connect to the server and ask, "What's my session
id?" Then it would remember that value and append it to any subsequent
requests so that the server will know what session the applet is in.

Note, however, that I've never actually written an applet. All my
experience is server-side.

This is still separate from the issue of connection pooling though!

 

[Ike]

Thanks Wendy,

You;re right, it doesnt have anything to do with connection pooling, I just
stated that because I thought, there might be an outside chace, that
connectin pooling was somehow germaine to the question (obviously not!). I
am certain I can authetnticae to the servlet via the session ID, BUT...I
wonder how you initially authetnticate without having the password/userid
picked up via a sniffer? //Ike

 

[Wendy S]

I wonder how you initially authetnticate without having the password/userid
picked up via a sniffer? //Ike

Very carefully. This is one reason I don't use applets. Are you requiring
the user to authenticate, or is it the same userid/password for all
instances of the applet?

(Sure wish someone else would jump in here... I've never written an applet!)