[Opensource] User authentication
Bjorn Granvik
bjorn.granvik at jayway.se
Wed Jun 12 01:52:48 PDT 2002
> Can we have a look at the code?
First off; When writing this we're not quite sure what the future is for our
piece of code.
We will have to get back to those interested later on.
Let see if I can describe this better.
1. User enters url to protected page
In the website's web.xml we've set up the declarative security, i.e. which
roles access what.
Note, we're using standard J2EE user and roles to set this up (not JAAS,
which encompasses more).
2. Tomcat shows login
Tomcat shows our login page (form based authentication) since we're trying
to access a protected resource.
User enters username and password.
3. Authentication and authorization
We've set up Tomcat to use LDAP realm (this i done in the config/server.xml
file).
Tomcat contacts the LDAP server and finds the user and checks password and
retrieves roles for this user.
4. Tomcat clear, on to Expresso page
Tomcat has now cleared our access to the protected resource. If it's a plain
file (html, doc, etc), i.e. not expresso based, we're home free.
If it's an Expresso page, say frame.jsp, we now enter the Expresso
structure.
It ends in a call to CheckLogin.java. We know we're logged in and we have
the username.
Contact the LDAP-server and get the Expresso user id - expUID. Now we have
all the info need to authenticate the user Expresso-way (currentLogin on
session variables).
One final trick is still left to do when supporting the example above,
putting both user (with expUid) _and_ groups from Expresso to the
LDAP-server. This is done by tweaking some of the files in the Expresso
framework.
I hope I've answered your question,
Bjorn
More information about the Opensource
mailing list