Hi, Lawrence
You certainly don't need to declare your users - I have successfully created
new users from scratch and logged them into the server using the Orion user
manager API's. I'd think it rather a poor user manager if one had to declare
all the users ahead of time in a deployment descriptor. :-)
I'm no expert on any of this - just experimenting - but the impression I got
is that authenticate() is a verification method, nothing more and nothing
less. It will confirm that the (username, password) pair you supply exists
in the user mgmt database (referenced by DataSourceUserManager), and you
then act on that assumption in your code. The method that apparently (well,
it works for me) logs a principal into the J2EE server security mechanism is
login(), in RoleManager.
My take is: *UserManager, User, Group are for straightforward management of
users - adding, removing, grouping. RoleManager is for logging in a user
with the desired role.
I haven't found the code requirements particularly onerous so far.
As far as the datasource goes, I don't know for sure. I''m using Hypersonic
at the moment and I went ahead and used a separate database, not just
separate tables (one for users, one for groups). So I have 2 datasources in
data-sources.xml. I'll refrain from further comment.
For my part I'd like some clarification from the Orion team as to the
distinction between UserManager stuff in orion-application.xml and just
doing it in code. The latter seems to work.
Arved Sandstrom
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Lawrence Fry
Sent: Wednesday, August 30, 2000 7:23 PM
To: Orion-Interest
Subject: usermanager's
Ok...I admit it, I am stuck in user-land and need a map to get out.
It looks like the usermanager methodology is the way to authenticate my
users on my website. However, I am a little stuck.
If you look at the pet store example, nobody can log in unless you are a
user as identified in the principals.xml file, or you create a new user
everytime. Ok for a demo, but pretty useless for an ecommerce application.
The datasourceusermanager seems pretty good, except that without the
container/transaction stuff, we would have to implement all of that
ourselves. That brings me to the ejbusermanager. Its part of the
ejb/transaction management stuff, and provided my database can be relatively
secure, we can do our user authentication. But I have some befuddeling
questions:
1. If we include the user-manager declaration in the orion-application.xml,
is the rolemanager the proper interface for logging users in? Or must we get
the ejb reference, and hardcode the login? ,ie,
userbean.authenticate(password)...
2. Will I need a separate datasource for the ejbusermanager?
3. Are there any examples of ejbusermanager authentication (soup to nuts)?
Regards and buffudled,
Lawrence
