Serving content based on authenticated roles
posted 6 years ago
Hi
I would like my users to authenticate (username/password) from the home page (index.html), or one click from the home page to use SSL. When the user is authenticated I would like the server to look up the user's role in a role table and serve them with content spedific to that role (or to send them to a session based role selector page if they have more than one role).
I'm considering Container Managed Security (CMS) using form-based authentication with DataSourceRealm and SSL on the server side.
However, when using CMS the user is directed to the form-login-page only when the user tries to access a constrained resource or servlet. So CMS acts more like a hurdle, while I would like it act a little more proactively.
Any clues on how on how I can get a user to authenticate before they try to access a constrained resource, and then serve them content based on their authentication details? (Using Ajax would be prefered).
Thanks
Marten
I would like my users to authenticate (username/password) from the home page (index.html), or one click from the home page to use SSL. When the user is authenticated I would like the server to look up the user's role in a role table and serve them with content spedific to that role (or to send them to a session based role selector page if they have more than one role).
I'm considering Container Managed Security (CMS) using form-based authentication with DataSourceRealm and SSL on the server side.
However, when using CMS the user is directed to the form-login-page only when the user tries to access a constrained resource or servlet. So CMS acts more like a hurdle, while I would like it act a little more proactively.
Any clues on how on how I can get a user to authenticate before they try to access a constrained resource, and then serve them content based on their authentication details? (Using Ajax would be prefered).
Thanks
Marten
when in doubt put it in parenthesis and stick a dollar sign in front of it, only good can come from this.
posted 6 years ago
Marten, how is your security constraint defined in web.xml. I mean to ask what are the resources in your webapp, you are constraining.
marten kay wrote:Hi
I would like my users to authenticate (username/password) from the home page (index.html), or one click from the home page to use SSL. When the user is authenticated I would like the server to look up the user's role in a role table and serve them with content spedific to that role (or to send them to a session based role selector page if they have more than one role).
I'm considering Container Managed Security (CMS) using form-based authentication with DataSourceRealm and SSL on the server side.
However, when using CMS the user is directed to the form-login-page only when the user tries to access a constrained resource or servlet. So CMS acts more like a hurdle, while I would like it act a little more proactively.
Any clues on how on how I can get a user to authenticate before they try to access a constrained resource, and then serve them content based on their authentication details? (Using Ajax would be prefered).
Thanks
Marten
Marten, how is your security constraint defined in web.xml. I mean to ask what are the resources in your webapp, you are constraining.
Regards
KumarRaja
posted 6 years ago
Hi Kumar
I am still in the design stages, so I can't give my web.xml example at the moment. However the scenario is this, the application is for teachers testing students so whenever a teacher logs in the page they see must be different to when the student logs in, and when the student logs in they should not be able to access the teacher's servlets or jsps.
My current thinking is to implement authentication myself and to have all requests to the app come through one servlet that authenticates (when details entered by user from index.jsp) and then based on roles found during authentication the request is delegated to an object to process the request. For future requests, the request would come through the same single servlet where the authority for the user is checked before delegating the request to an object to process. This seems simple enough to do, but I'm not too sure if it's a good idea to implement all security myself.
Marten
Hi Kumar
I am still in the design stages, so I can't give my web.xml example at the moment. However the scenario is this, the application is for teachers testing students so whenever a teacher logs in the page they see must be different to when the student logs in, and when the student logs in they should not be able to access the teacher's servlets or jsps.
My current thinking is to implement authentication myself and to have all requests to the app come through one servlet that authenticates (when details entered by user from index.jsp) and then based on roles found during authentication the request is delegated to an object to process the request. For future requests, the request would come through the same single servlet where the authority for the user is checked before delegating the request to an object to process. This seems simple enough to do, but I'm not too sure if it's a good idea to implement all security myself.
Marten
when in doubt put it in parenthesis and stick a dollar sign in front of it, only good can come from this.
