Thanks Eddie.. I'll start investigating the "custom realm" possiblity in Websphere. Websphere is just an embellishment of Apache, so, I would assume that if Apache can, so can Websphere....however, who knows..
Thanks again Eddie.. Cheers! Siong At 05:01 PM 19/09/2002 -0500, you wrote: >CMA is Container Managed Security. It's implementation will vary from >container to container. It is not tied to EJBs in any way shape or >form. What it is ... is simply ... container-managed security :-) The >container manages the login. > > - user asks for a page with restricted access (configured in web.xml) > - server saves request > - server presents user with login page > - user submits login > - server processes login > - server replays initial request made by user > >For "server processes login", the server would (depending on how you >configured it; different options may be available from different >vendors): check a database, do a JNDI lookup (LDAP), or <something >else>. Tomcat supports JDBC, JNDI, flat-file, and ... I think it provides >another one now, though what it is escapes me. > >Sounds to me like CMA may not quite work for you, unless you implemented a >custom realm (don't know if your container supports this; Tomcat >does). You're saying that the cookie is a prompt to begin a login for a >specific user. I guess it's not so bad if you're not including their >password; I'd try to go for a userid instead if you could -- much less >recognizable and identifyable. Sorry I came off like a "loose cannon" >;-) I do that sometimes, but my heart is in the right spot. I just had >to see people use practices that might cause (even more) people to disable >cookies out of paranoia. > >CMA != EJB >CMA != Full-Fledged J2EE Server (ie JBoss) > >I believe this is a servlet specification. Therefore, any servlet >container should provide you with a way to configure it. Of course, there >will be as many different ways to configure it as there are vendors of >servlet containers :-/ ... but that's what happens when you don't set a >standard for something. > >Siong Chan wrote: > >>Hi Eddie and Dimitar.. >> >>Thanks for your responses. I realise that using cookies isn't the most >>secure thing to do, however, this is a restriction that has been placed >>upon us from the server that is redirecting the call to us. >>However, we actually only keep the username and some other information >>(not password) in the cookie and then our server will need to perform a >>server to server SOAP message to authorise the userid with the >>originating server. >> >>BTW, Eddie, is your CMA specifically the EJB container users/roles? >>Does the web container allow CMA? >> >>Dimitar...your idea to forward directly to an action worked. Thanks! >> >>Cheers! >>Siong > > >-- >Eddie Bush > > > > >-- >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > Siong H. Chan Systems Engineer, eBusiness Division MacDonald Dettwiler Add: 13800 Commerce Parkway, Richmond, BC, Canada V6V 2J3 Email: [EMAIL PROTECTED] Voice: (604)231-2150 Fax: (604)278-2533 URL: http://www.mda.ca/ -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>