Security on a multiple user site using JSP.

Discussion in 'Java' started by Dj Frenzy, Mar 6, 2004.

  1. Dj Frenzy

    Dj Frenzy Guest

    Hi,
    I am creating a website, which will have multiple users. Security
    with JSP is quite new to me. I want to make it possible for users to
    log in and then browse their information as they wish. In order to
    make sure that they don't have to constantly confirm their password,
    would I just use a cookie to hold their id and password for the
    duration of their session?
    Cheers,
    Dave
    Dj Frenzy, Mar 6, 2004
    #1
    1. Advertising

  2. Dj Frenzy

    Ryan Stewart Guest

    "Dj Frenzy" <> wrote in message
    news:...
    > Hi,
    > I am creating a website, which will have multiple users. Security
    > with JSP is quite new to me. I want to make it possible for users to
    > log in and then browse their information as they wish. In order to
    > make sure that they don't have to constantly confirm their password,
    > would I just use a cookie to hold their id and password for the
    > duration of their session?
    > Cheers,
    > Dave


    A session variable would be better. What if a user disables cookies?
    (Answer: Then his/her session would be lost too, but you can get around
    that.) Use session.setAttribute and session.getAttribute.
    Ryan Stewart, Mar 6, 2004
    #2
    1. Advertising

  3. On 2004-03-06, Ryan Stewart <> wrote:
    >
    > A session variable would be better. What if a user disables cookies?
    > (Answer: Then his/her session would be lost too, but you can get around
    > that.) Use session.setAttribute and session.getAttribute.
    >


    I know that JSP provides authentication for you. Why not use
    that? Then its the JSP container's responsibility to track the user
    ID. I've experimented a little with custom login pages and HTTP Basic
    authentication in JSP, setting up a restricted area of the site in the
    WEB-INF/web.xml file. I also know that you can ask if the logged in
    user is in a given role. I know more about old Apache authentication
    than JSP specific, but would expect that current user ID is available
    from the system.

    I'll be looking at implementing some JSP helper apps to help me
    be secretary of my local panto group, keeping track of things like
    upcoming events and automailing myself or other members as appropriate.
    Using Swing would be not be as educational as using JSP. I'll be logging
    the user ID with records that the user creates, also using role based
    authentication.

    - Richard

    --
    _/_/_/ _/_/_/ _/_/_/ Richard dot Corfield at ntlworld dot com
    _/ _/ _/ _/
    _/_/ _/ _/ Time is a one way street,
    _/ _/ _/_/ _/_/_/ Except in the Twilight Zone.
    Richard Corfield, Mar 6, 2004
    #3
  4. Dj Frenzy

    Ryan Stewart Guest

    "Richard Corfield" <> wrote in message
    news:...
    > On 2004-03-06, Ryan Stewart <> wrote:
    > >
    > > A session variable would be better. What if a user disables cookies?
    > > (Answer: Then his/her session would be lost too, but you can get around
    > > that.) Use session.setAttribute and session.getAttribute.
    > >

    >
    > I know that JSP provides authentication for you. Why not use
    > that? Then its the JSP container's responsibility to track the user
    > ID. I've experimented a little with custom login pages and HTTP Basic
    > authentication in JSP, setting up a restricted area of the site in the
    > WEB-INF/web.xml file. I also know that you can ask if the logged in
    > user is in a given role. I know more about old Apache authentication
    > than JSP specific, but would expect that current user ID is available
    > from the system.
    >
    > I'll be looking at implementing some JSP helper apps to help me
    > be secretary of my local panto group, keeping track of things like
    > upcoming events and automailing myself or other members as appropriate.
    > Using Swing would be not be as educational as using JSP. I'll be logging
    > the user ID with records that the user creates, also using role based
    > authentication.
    >
    > - Richard


    I haven't heard of JSP providing authentication. How is that supposed to
    work?
    Ryan Stewart, Mar 6, 2004
    #4
  5. Dj Frenzy

    Sudsy Guest

    Ryan Stewart wrote:
    <snip>
    > I haven't heard of JSP providing authentication. How is that supposed to
    > work?


    You might want to check this out:
    <http://java.sun.com/developer/technicalArticles/javaserverpages/servlets_jsp/>
    Sudsy, Mar 6, 2004
    #5
  6. Dj Frenzy

    Ryan Stewart Guest

    Ryan Stewart, Mar 7, 2004
    #6
  7. Ryan Stewart wrote:

    > "Sudsy" <> wrote in message
    > news:...
    >> Ryan Stewart wrote:
    >> <snip>
    >> > I haven't heard of JSP providing authentication. How is that supposed
    >> > to work?

    >>
    >> You might want to check this out:
    >>

    >

    <http://java.sun.com/developer/technicalArticles/javaserverpages/servlets_js
    > p/>
    >>

    > Okay, I've skimmed over it. Where is there something about JSP providing
    > user authentication?


    Not JSP per se, but a servlet container is required to provide container
    managed authentication.
    Look at the J2EE tutorial to see the different ways this can be done.

    --
    Kind regards,
    Christophe Vanfleteren
    Christophe Vanfleteren, Mar 7, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    5
    Views:
    3,154
    Nicole Calinoiu
    Jun 8, 2005
  2. Matthias Nietz
    Replies:
    1
    Views:
    3,442
    VisionSet
    Nov 12, 2003
  3. Replies:
    0
    Views:
    4,347
  4. Jeff
    Replies:
    0
    Views:
    1,615
  5. Ken Fine
    Replies:
    4
    Views:
    419
    Steven Cheng
    Feb 26, 2008
Loading...

Share This Page