Check the archives for the subject line RE:Security Solution. I have some code that I developed that might give you the flexibility you want.
Brandon Goodin Phase Web and Multimedia P (406) 862-2245 F (406) 862-0354 [EMAIL PROTECTED] http://www.phase.ws -----Original Message----- From: Preston Crawford [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 1:03 PM To: [EMAIL PROTECTED] Subject: Authentication without JDBC Realms? Hopefully someone can provide some insight on this. We're developing at my company a Struts application and we're trying to implement security. We're using iPlanet because it's what we already owned (version 6.0) and we're on a limited budget. We don't have money for another server for LDAP, and don't believe the existing server could handle both LDAP and the web server duties. With all of that in mind we looked into JDBC Realms. Based on what I'd seen in some books an examples, JDBC Realms looked promising. However, it now appears, that JDBC Realms are only available in Tomcat currently. So with that background, I'm wondering how others are implementing security if not using JDBC Realms. We'd prefer something like JDBC Realms since we're storing users and roles in the database anyway, but it appears that isn't available. So right now we're thinking we'll need to devise a custom solution. Problem is, since we have actions AND JSP pages we need to technically check for access at both a JSP and action servlet level. Thoughts on this? Is it possible to lock down JSPs such that they can't be accessed directly, but only as a result of a forward from an action? Or is an action implicitly using an HTTP redirect, and thus locking down JSPs would be counter-productive? Any help or advice would be greatly appreciated. Preston -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>