- setup container-managed authentication
- as a server-configured service
- as a filter (see securityfilter.sourceforge.net)
- see your servlet container user guide for setup of
non-filter-based solution
- in your web.xml
- declare the roles you will use
- declare the URLs etc
- see the servlet specification for how to configure this
The web.xml config applies to the non-filter-based approach I *think*.
See the filter's site for more information on how to configure that
particular one.
If you push your authentication/authorization up to the server level,
you don't have to have "nasty hacks" in all of your protected JSPs.
Just make the auth work and specify the mappings it holds true for.
Other good references on this topic include Java Servlet Programming
(Jason Hunter - O'Reilly) and Java Server Pages (Hans Bergsten -
O'Reilly). There are probably other resources available that outline
how to configure your deployment descriptor (web.xml) for this.
Hoang, Hai wrote:
>I want to secure the admin portion of my application from unauthorized
>users. What is the best way to achieve this task? Should I include a
>"CheckUser" tag on every jsp pages and call a "CheckUser" function on every
>single action class? I don't want the user to just key in the direct url of
>the jsp page or calling the action class directly. But doing this, I've to
>go to the database twice on every action.
>
>Do you know a better way?
>
--
Eddie Bush
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
