• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Question about role-based security for web application.

 
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If I configure the web application security with
<session-config>
<session-timeout>120</session-timeout>
</session-config>

<security-constraint>
<web-resource-collection>
<web-resource-name>Page</web-resource-name>
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/servlet/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/failed.jsp</form-error-page>
</form-login-config>
</login-config>


How could I keep the authentication live if client close their browser?

In the login page, I simply use

<form method="POST" action="j_security_check">.


Many thanks.

I find that for fire fox, if only close some tabs, web application would still think the session is active, but as long as the browser closed, the session and cookie would be expired on client side, how could I keep it live?
 
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can't.

Typically the session is maintained by the browser using an in-memory cookie and that will dissappear when the browser does.

If your requirement is not to have user's log in everytime they access your application you could consider pass through authentication. That way the credentials come from the OS.
 
Alex Sun
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you Paul, I am little bit confused about what do you mean "pass through authentication" and how do I implement it?
 
Paul Sturrock
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
"pass through" authentication just passes the authenticated credentials used by the client OS.

Have a look at jCIFS if you want to know more/implement this.
 
reply
    Bookmark Topic Watch Topic
  • New Topic