Guess no one has yet made the point that without SSL (i.e. "https:"),
using basic authentication is the equivalent of sending the username and
password across the network as plain text.
This is a remarkably *bad* idea.
If you will *always* use SSL this isn't an issue.
Unless of course someone cracks the SSL implementation...
I dislike the idea so much that I don't use basic authentication.
Instead I send a small applet that encrypts the username/password before
sending it back to the server.
The remainder of the semantics are then easy:
---
State getState(HttpServletRequest request) {
HttpSession session = request.getSession(true);
State state = (State) session.getValue("my.state");
if (null == state) {
state = new LoginState();
session.setValue("my.state",state);
}
return state;
}
void Logout(HttpServletRequest request) {
HttpSession session = request.getSession(true);
session.setValue("my.state",null);
}
---
Once you reach the LoginState the login page is presented.
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
