In the Windows world, if a users uses IE to access an ASP website, and both are on domains and they are the same domain or there is a trust relationship between the domains, you can do the following (the joy of one company providing the entire stack):
1. You can authenticate the user which is based on who they logged in to Windows as. 2. You can handle authorization based on the groups that user is a member of. 3. You can open files as that user so all access to files is based on the user's privileges - without ever knowing the username & password of the user. 4. You can access SQL Server as that user so all database access is based on that user's permissions - without ever knowing the username & password of the user. What makes this such a fantastic setup is the following: 1. The user was never asked to log in to use the ASP-based portal. It knows who they are. 2. The ASP-based portal never needs to know the user's password. So there are no security issues as you are never holding & storing a password. Can this be done in the J2EE world? And if so, how? 1. We want to avoid requiring the user to login to use our portal. 2. We want to get authentication & authorization from the underlying O/S - so the company using this does not need to enter duplicates of all users and the groups they are in. 3. We need to access files and the databases as the user. a. We would prefer to do this without having to store the user's username & password. b. If we do have to store it, what is the best way to do so? This is the one part of our portal where we are willing to write dependent code as having this be true SSO with us storing nothing is such a good thing. Suggestions ??? - thanks - dave David Thielen <http://www.windwardreports.com> www.windwardreports.com 303-499-2544
