• Post Reply Bookmark Topic Watch Topic
  • New Topic

How to handle authorization in a web applicaton?  RSS feed

 
Dilshan Edirisuriya
Ranch Hand
Posts: 299
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There are few authorization techniques. Everyone has its own advantages and disadvantages. Here are the few approaches I have seen.

1)Hard coding the user levels in the application server and access them.
2)Holding a session attribute for user levels for each user.
3)Keeping the authorization mechanism in the database.

Is there any additional things to add?

I want to know what are the aspects you should consider when choosing a authorization mechanism and what are the advantages and disadvantages of using above approaches?
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

1)Hard coding the user levels in the application server and access them.
2)Holding a session attribute for user levels for each user.
3)Keeping the authorization mechanism in the database.

These aren't mutually exclusive. E.g., #2 can be used together with #3 (in other words, cache the user credentials in the session).

Hard-coding seems a bad choice, as do file-based approaches like Tomcat's MemoryRealm. Database- or LDAP-based storage is much to be preferred.

Servlet containers generally support various ways of storing user information, e.g. Tomcat has Realms, which abstract the storage of that information from its use in the web app. (That's assuming that you're using servlet authentication/authorization. If not, you can't use Realms, and need to devise your own way of accessing user information.)
 
Dilshan Edirisuriya
Ranch Hand
Posts: 299
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!