This content has been marked as final. Show 8 replies
You need to store the association between a user and zero, one, or more than one valid role.
I suggest you google for tomcat realms as even if you are not using tomcat it will give you a good idea of how to do this. Your database may look something like this:
create table users ( user_name varchar(15) not null primary key, user_pass varchar(15) not null ); create table user_roles ( user_name varchar(15) not null, role_name varchar(15) not null, primary key (user_name, role_name) );
Ya, i know the database structure. But my point is if i need to store all roles and usernames in database, then what for did we add in web.xml? Also do i need to write if then logic in each and every page? like if user is admin then true else false and all these silly things?
What you are talking about is called declarative security. You map the security policy in the web.xml file (usually) using <security-constraint> etc, and at runtime the servlet container uses that security policy to enforce authentication and authorization. This is part of the servlet specification, a version of which your servlet container will implement.
Ok! thanks friend,
Now, let's take a general scenario. You tell me how to do that in Java. When a user tried to access unauthorized resource he is thrown to login page.(This part i have already done using declarative security). But now when he click login what all process should i do?
First i should check in database and if he is admin he should be allowed to browse. Here, i would like to ask how do we get the return url.
Eg. user is browsing http://www.xyz.com/admin/foofoo.jsf
Now after the admin successfully logs in, he should be redirected to foofoo.jsf and not the default url of Admin eg. admin/index.jsf?
Also, how does server know whethe the user is now authenticated?I mean again if user tries to browse admin resource, won't he be again redirected to login page? and to prevent that, do we need to store something in session as a flag, so that we can know whether the user is authenticated and authorized or not? And if yes, then do we need to write this silly logic of if..then on each and every page? This is not a good solution.
Please, i am a beginner may be my questions are too silly but that's the way you learn.
Salman4u wrote:Normally you don't store the password itself in a database. It's better to store the hash of the salted password.
Usernames and passwords are stored in mysql database.
You're on the right track. But your questions about "do I have to do this on every single page" just shows you haven't heard about Filters yet.
It was just a guess. Then what about JDBCrealm? i was just about to do that.
Please somebody tell me, should i manually check for authentication using filters or should i go for JDBCrealm?