>On 4/12/00 7:13 PM, Vyacheslav Pedak at [EMAIL PROTECTED] wrote:
>
>>> I'm looking for some code (or guidance) for performing user authentication
>>> in JSP. The JSP spec makes some vague comment about being an extension of
>>> the servlet spec, but what does that mean? What do I need to do to
>>> authenticate a user's login/password, send a cookie to the client and then
>>> use the user's info in subsequent JSPs?
>>
>> See Java Servlet API specification 2.2, you can download it from
>> http://java.sun.com/products/servlet/2.2/
>
>Thanks, but I *also* scoured the spec. What parts of the spec answer my
>question?
There are many techniques to do user authentication at the application level,
that have been discussed often on this mailing list. I'd like to focus here
on the meat of your question -- what does the servlet container do for me?
There are four things that need to happen for the stuff in the spec (as
described below) to provide container-managed security for you.
* You have to be running a servlet container based on the version 2.2
(or later) specification for anything described here to matter. There
was no standardized support in previous versions.
* The 2.2-compatible servlet container you are running on must support
the security features of the spec. Check the documentation on your
servlet container to make sure.
* You must define one or more <security-constraint> elements, plus a
<login-config> element, in your web application deployment descriptor.
The <security-constraint> element describes what URL patterns (within
your app) should be protected, and what "roles" a user must possess
to access those resources. The <login-config> element describes how
you're going to perform authentication -- for example, you can choose
HTTP BASIC authentication by including <auth-method>BASIC</auth-method>
inside. See Section 11 of the spec for much more about security.
* You must register your usernames and passwords, and their associated
role assignments, in the users database for your container. How you
do this is different for every server -- again, check the docs.
When you do these things, the servlet container enforces the authentication and
access control restrictions you've defined, and you can use the security
related calls on HttpServletRequest (getRemoteUser, getUserPrincipal, and
isUserInRole) to find out more information about who was authenticated.
>
>>> And, more generally, what parts of
>>> the servlet API are accessible to my code when I'm using JSP?
>>>
>>
>> All API
>How?
Every JSP page gets compiled into a servlet. Therefore, the generated code
can do anything a servlet can. For example, the "request", "response", and
"session" implicit objects that your page can access are instances of
HttpServletRequest, HttpServletResponse, and HttpSession respectively --
therefore, these objects have all the methods defined in the servlet API.
>
>--johnt
>
Craig McClanahan
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
