Hi All,
I have a question regarding security in an web application. I am aware of the fact that there are 4 types of possible authentication mechanisms for web based applications, using JSPs. Just to be a pain BASIC, FORM, DIGEST and CLIENT-CERT. Now that out the way, I would like to present my problem. I can't use any of these methods, as we are currently restructuring the infrastructure and there are multiple web applications running on the same instance of Weblogic 7.0, which we are using. I would like to use FORM based authentication and on that base my authorization, however I can't replace the default Realm as it would interfere with current applications running there. Now this problem will persist for the next few months. We need to start working on a new project and need a solution which will not require us to rewrite large chunks of code once we can adopt our own Realm. The user information, groups, permissions and so on are all stored in our DB. The new realm will be based on that. I might be wrong, but my feeling is that if we manage to set the standard Principal along with his role and permissions, in the web application, once he has gone through the Authentication process, the Authorization process will not require any changes once the new Realm is in place. Now I understand that there will need to be a workaround for further security, which is not done by the container now but will be done once the FORM authentication is in place using the Realm, but this will not affect authorization in the normal flow of things.
Bottom line, how can a principal and his role be set and where in a Servlet, JSP application, after authentication, without the standard authentication mechanism of Weblogic. I guess Weblogic is not the only server but any J2EE server.
Your help will be greatly appreciated.
Martin
To change your membership options, refer to: http://www.sys-con.com/java/list.cfm
