• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

programmatic security and declarative security

 
al langley
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have used the <security-constraint> tags and just started to use realms with a database in Tomcat (thanks for the link again Ben Souther) to allow certain users to view certain pages.
But what if I only want a user to be authenticated once, and for the rest of the session the user can access all pages he is authorized to view without having to be authenticated each time.

How are declarative and programmatic security typically used in these situations?

This is what I was thinking:
The first time a user logs in from the login page, the username/password as well as the authentication method that is declared in the <security-constraints> sections of the DD is used.

Once the user has been authenticated the first time (a correct username/password combo) I set a Boolean variable
in a session object to true.


Then for all other pages that require authentication, I just check the session object to see if the attribute value is set to true. If it is (and the user is logged in) I display the appropriate info, otherwise I display a message for the user to go log in.


I'm just curious as to how such cases are typically handled and if there is a more secure(or proper) way to handle this.
Thanks for taking the time to read my question.
Any thoughts or suggestions would be much appreciated.
[ May 19, 2008: Message edited by: al langley ]
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you're using declarative security you don't need to do anything in your code - the servlet container will handle it (and it won't ask a user for the password more than once per session).

But you're talking about doing something in your code - that sounds as if you're actually doing programmatic security? The two don't mix well. I rarely use declarative security these days, because it's rather inflexible.
 
al langley
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the response!

I have a situation where I have pages that only authorized users should be able to see. I think the scenarios are simple enough to be covered by declarative security. But I was wondering what factors I should look at.

I'd like to learn more about security and how it is typically handled when it comes to servlets and web apps in general. Anyone know a good book, or link?

Thanks again.
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I use a security filter, and at the top of every JSP page include code to check access, and if not allowed, redirect to the login page.

You can never trust how someone gets to a particular page. Never ever.

You can not trust a browser. You can't know if its really a user or a bad guy.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65229
95
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Pat's approach is very customary and he is 100% spot-on in saying that you can never trust any data coming from a browser. Check early! Check often!

You can avoid putting code on every page by employing a servlet filter.
 
al langley
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks, will try out the security filter.

The advice is very appreciated!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic