PAUL J THOMPSON wrote:
> Hummm.
>
> This prompts me to ask another question. What is the best way to
> require authentication with servlets?
>
> Paul J Thompson
>
> > Apache does not support .htaccess files to protect servlets. This is because
> > when you access servlets, there is no "real" directory for you to put your
> > .htaccess files into.
> >
> > You can use <LOCATION> directives in the httpd.conf file to protect access to
> > servlets based on their URI, instead of their actual directory.
> >
> > Craig McClanahan
>
"Best" is kind of a loaded judgement, without knowing what your criteria are.
Here's a couple of things to consider:
If you want your authentication for servlet activities to be integrated with the
web server's file protections (in particular, you want the same kind of
username/password box to be popped up), you must use the web server's
capabilities. In the Apache case, that means using <LOCATION> directives as
described above. Note that Apache has a rich set of authentication modules
available, so you can store the valid users in text files, DBM files, databases,
LDAP servers, or whatever you need.
If you want your servlet-based application to take care of all of its own login
security, you've got some coding to do. The basic idea is that you take advantage
of HTTP sessions. On every access to a servlet, you must make sure that there is
a valid session, and that you've stored in the session an object that indicates
the user has been authenticated. If they haven't, you will redirect them to a
login form (a normal HTML page) on which you ask them to log in, authenticate the
results in a servlet, and put the object in the session.
Which general approach is best really depends on your application requirements.
Craig McClanahan
-- --------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
READ THE FAQ!!!! <http://java.apache.org/faq/>
Archives and Other: <http://java.apache.org/main/mail.html/>
Problems?: [EMAIL PROTECTED]
