I am building a web application that have admin user and non admin user...Now in my main page I have a design that I also want to be the design for the non admin users. For example if I have a view jsp page with a edit and a delete button if you are admin user, I dont want this button to appear of you dont have the admin roles... How to do this?thanks
Check out the Apache Shiro library. It provides (amongst much other security functionality) JSP tags for authenticated and unauthenticated users, making the process even simpler than using the standard JSTL tags: http://shiro.apache.org/
you have 4 types of authentication mechanism that is..
BASIC :: this one provides BASIC authentication .. and encode the user name and password provided by the user,, IT PROVIDES VERY WEAK AUTHENTICATION
DIGEST :: its an upgraded version of BASIC ,, still not much use
CLIENT_CERT :: its provides good AUTHENTICATION ,, but client must have SOME CERTIFICATES
FORM BASED :: its needs FORM of login information..
1. first of all in your REALM you have to define the login information of the user.. like user name and password
2. then in your DD you have to define the user ROLES
3. and then you can use the above code in your DD,, it provides AUTHENTICATION , AUTHORIZATION , CONFIDENTIALITY and INTEGRITY...
1. realm is a tomcat-users.xml file .. you have to edit it to define your users..
<role rolename="Admin" />
<role rolename="Member" />
<user username="Shivam" password="shivam" roles="Admin, Member" />
in the above code 3 the role name ADMIN can doPost on my servlet in the directory named WEB_INF/shivam and no one like Member can doPost on the same resource ,, BUT including ADMIN ,, member can doGet , doHead , doTrace on the resurce
shivam singhal wrote:DIGEST :: its an upgraded version of BASIC ,, still not much use
Since I'm not sure what you mean by "not much use", I want to clarify that DIGEST employs strong cryptography - from that point of view it is much better than, for example, FORM based auth - which provides no encryption unless it's used in conjunction with HTTPS. The unfortunate truth about DIGEST is that there are still browser/server combinations that not support it, although they're becoming rare these days.