• Post Reply Bookmark Topic Watch Topic
  • New Topic

Authentication and getRemoteUser()

 
Hari babu
Ranch Hand
Posts: 208
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have an application where user has to login by providing the user name and password. the user name and password are authenticated against my application specific database.
one of the user is authenticated.Now the user clicks on a link whose request is sent to the servlet.
In the servlet i want the user name. If i say "request.getRemoteUser()" (request is of type HttpServletRequest) can i get the "userName". If i can get the "user Name" from the above name how does it work ? because i never called "request.setRemoteUser()" (of course there is no such method) and who will do this for me ?? If I cant use "getRemoteUser()" then please tell me about the scenarios where i can use this "getRemoteUser()". Similarly i want to know how i can use "request.isUserInRole()"

Hari
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You need to look into Basic and Form based authentication.
This is a part od the J2EE specification where the application server takes over the responsibility of maintaining the security of resources - ie web pages etc.
With Basic Authentication, if the user tries to access a restricted resource, a message is sent back to the browser informing it to throw up the 'username/password' dialogue box.
Form based authentication is similar, except that you design your own login screen, tell the server where it is, and the server returns this page instead.
If the user passes the authentication and they are also authorised to view that resource, they are sent to the resource. Otherwise they are either sent the login prompt again, or a 403 error (ie unauthorised)
isUserInRole is related to Roles, which is related to authorisation. It is possible for a server to know who someone is (ie they are authenticated), but still deny them a resource - they are not authorised to view it.
This is again managed by the server, but essentially you take the extra step of defining roles that are allowed to access the resource, then add users that are allowed to see that resource to the role as well. When someone asks for a resource, the server makes sure thay are in one of the required roles necessary to get it before sending it to them.
After a user has been Authenticated, you can use getRemoteUser() to get their login name. If you want to (programatically) test if they are allowed to do something, you can manually test isUserInRole( roleName ).
For example, we have a system with 1.6 million members. They all get the 'member' role for free. When they register, they get the 'online member' role. This role allows them to view member only information on our sites. Only 'member's are allowed to become 'online member's.
Staff get the 'staff' role and may or may not be 'member's. In addition, some staff are also 'administrators', which allows them to access administration functionality on the site.
We also have external agents which are neither staff nor members. They are unable to access any of the 'online member' or 'administration' functionality, even though they can authenticate against the same system.
Hope this gets your started!
Dave
ps - I would have added some links, but I don't have any ready
 
Hari babu
Ranch Hand
Posts: 208
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
My question is
Iam maintaining the user info in my custom database and not in my web server.
Now my user (say username = hari) is authenticated. After this authentication can i call getRemoteUser() to get the user. If i can do that who set the remote user, because iam not doing it. Will the webserver do that automatically ? Similarly how do i ask the webserver to put that authenitcated user in partcular role so that whenever the user asks for secured source he is authorised against that role (checks web.xml)
Hari
 
Peter den Haan
author
Ranch Hand
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What you want to do is make your web server use the information from your database (the authentication and authorisation information in your database defines a "security realm" that the server should use). Unfortunately, there is no standardised way to do this (yet: isn't there a JSR?), but most self-respecting web/app servers have a fairly simple API that supports various sources of authentication information (XML files, JNDI, JDBC) and allow you to plug in your own Java classes where necessary.
- Peter
 
Hari babu
Ranch Hand
Posts: 208
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So in that case the getRemoteUser() will return me null ??
Also in above case, how do i take care of authorization ? iam forced to use the programmatic authorization as my declarative authorization becomes useless (what i mean is using authorization based on roles)
Hari
[ January 27, 2003: Message edited by: Hari babu ]
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!