oops, I forgot one little thing.
If you want to know Who is using a resource, and they have already been
authenticated, use the session context (in an ejb)
String userid = sc.getCallerPrincipal().getName();
obviously, you can expose this as a business method for the session ejb, and
access the userid from a servlet or jsp. This is the safest way to get the
userid into a web page. Somehow, I think manipulating the usermanager from
within a jsp offers a security hole. If anybody ever gained access to a
jsp, they could copy the code for access to the usermanager, modify it so
that an email would send the password and userid, and then put it back on
the website. The same hack on a ejb is much more difficult.
I believe the session context in the servlet api was depricated just for
this reason.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of elephantwalker
Sent: Friday, April 13, 2001 4:12 PM
To: Orion-Interest
Subject: RE: How to enable UserManager support for arbitrary user...
Alex,
I beleive that what's important is the deployment descripter according to
j2ee. As long as a role is required by the descripter, if you navigate to
the jsp, servlet, or use a resource such as a ejb or database, as long as
the application descriptor notes the proper security role, and the path to
the resource is defined for the security role,the login screen will be
presented when the user navigates or clicks on a resource that is in a
security role. What's happening is container will check if they are in role,
if they aren't the login form (if you used form-based login) will come up.
You don't have to hard code this.
These bits a defined in the web.xml, or the web application descripter.
The only hardcoding I have done is when you need to automatically login
somebody (for example, after they create an account), or when a resource is
outside of the application, but you want to control it with your security
anyway. An example of the first case is in the pet store example. If you
don't want to go to the trouble of creating a special path for your jsp
pages, you can stick a ifinrole statement on every page, and these will go
to the login page if somebody accesses a page by typing a guessed url...
mysecretplace.mycompany.com/allmysecrets.jsp, the jsp can have a statement
like:
<util:ifInRole role="customer" include="true">
... content
</util:ifInRole>
<util:ifInRole role="customer" include="false">
<jsp:forward page="/control/animaginarypage" />
</util:ifInRole>
The util tags are from orion's utility tag package.
The /control path is also the j2ee path control in the deployment
descripter. This is also a good idea on jsp content in general, because
jsp's change very frequently, and people don't always have time to update
the deployment descripter.
Regards,
the Elephantwalker
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Alex Paransky
Sent: Friday, April 13, 2001 3:20 PM
To: Orion-Interest
Subject: RE: How to enable UserManager support for arbitrary user...
Tim, this IS what I am looking for, but does it mean that I need to put this
into every .JSP page that I have? Then, somehow (according to J2EE spec)
Orion will forward this information to all EJB calls and properly make use
of the deployment descriptor stuff? So every .JSP page will check the
session, find the User object which I stored in there, and execute this call
with the user.login and user.password?
Thanks.
-AP_
-----Original Message-----
From: Tim Endres [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 13, 2001 3:04 PM
To: Orion-Interest
Cc: Alex Paransky
Subject: Re: How to enable UserManager support for arbitrary user...
Is this what you are looking for?
RoleManager roleMgr = (RoleManager)
(new InitialContext()).lookup( "java:comp/RoleManager" );
roleMgr.login( "user", "pass" );
Unfortunately, I think that can only run in the container. To accomodate
multiple logins under a servlet, we used to use a new InitialContext on
every servlet request and set the appropriate JNDI properties for each
InitialContext construction.
tim.
> We have developed a web application with our own user/group schema.
> Creating a UserManager to map our schema seems pretty trivial. What we
are
> NOT clear on is how to tell Orion that a particular user has logged in.
>
> For example, we start our application with a LOGIN.JSP page, which accepts
> user name/password, and proceeds to find the user in the database. After
> the user is found/authenticated, we create an HTTP session, and store a
> certain User object in the session to tell us who the user is on the next
> http request.
>
> How do we introduce J2EE security into this picture. In other words, how
do
> we tell Orion which user is logged on so that it starts using the security
> attributes/group/rights of the deployment descriptors? Do we need to put
a
> special attribute into the HTTPSession so that Orion knows on behalf of
what
> user the request is running?
>
> Thanks.
> -AP_
>
>
