Security on a multiple user site using JSP.

D

Dj Frenzy

Hi,
I am creating a website, which will have multiple users. Security
with JSP is quite new to me. I want to make it possible for users to
log in and then browse their information as they wish. In order to
make sure that they don't have to constantly confirm their password,
would I just use a cookie to hold their id and password for the
duration of their session?
Cheers,
Dave
 
R

Ryan Stewart

Dj Frenzy said:
Hi,
I am creating a website, which will have multiple users. Security
with JSP is quite new to me. I want to make it possible for users to
log in and then browse their information as they wish. In order to
make sure that they don't have to constantly confirm their password,
would I just use a cookie to hold their id and password for the
duration of their session?
Cheers,
Dave

A session variable would be better. What if a user disables cookies?
(Answer: Then his/her session would be lost too, but you can get around
that.) Use session.setAttribute and session.getAttribute.
 
R

Richard Corfield

A session variable would be better. What if a user disables cookies?
(Answer: Then his/her session would be lost too, but you can get around
that.) Use session.setAttribute and session.getAttribute.

I know that JSP provides authentication for you. Why not use
that? Then its the JSP container's responsibility to track the user
ID. I've experimented a little with custom login pages and HTTP Basic
authentication in JSP, setting up a restricted area of the site in the
WEB-INF/web.xml file. I also know that you can ask if the logged in
user is in a given role. I know more about old Apache authentication
than JSP specific, but would expect that current user ID is available
from the system.

I'll be looking at implementing some JSP helper apps to help me
be secretary of my local panto group, keeping track of things like
upcoming events and automailing myself or other members as appropriate.
Using Swing would be not be as educational as using JSP. I'll be logging
the user ID with records that the user creates, also using role based
authentication.

- Richard
 
R

Ryan Stewart

Richard Corfield said:
I know that JSP provides authentication for you. Why not use
that? Then its the JSP container's responsibility to track the user
ID. I've experimented a little with custom login pages and HTTP Basic
authentication in JSP, setting up a restricted area of the site in the
WEB-INF/web.xml file. I also know that you can ask if the logged in
user is in a given role. I know more about old Apache authentication
than JSP specific, but would expect that current user ID is available
from the system.

I'll be looking at implementing some JSP helper apps to help me
be secretary of my local panto group, keeping track of things like
upcoming events and automailing myself or other members as appropriate.
Using Swing would be not be as educational as using JSP. I'll be logging
the user ID with records that the user creates, also using role based
authentication.

- Richard

I haven't heard of JSP providing authentication. How is that supposed to
work?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,734
Messages
2,569,441
Members
44,832
Latest member
GlennSmall

Latest Threads

Top