Solved

Populating bean after form based authentication

Posted on 2004-08-06
8
213 Views
Last Modified: 2010-04-01
Hi.
I'm using Tomcat 5 with form authentication tied to a mySQL database.
I can get the user logged in and also protect things using roles.
The problem is, there are other things, such as user preferences, address info, etc that I want to put in a Session Bean.
I'm not exactly sure how to make this happen...

Do i need to use some sort of custom authentication to make this happen?
If so, can I still use the container managed security at all?

Are there any examples of doing this?

Thanks!
0
Comment
Question by:jdoklovic
  • 5
  • 3
8 Comments
 
LVL 35

Expert Comment

by:girionis
ID: 11744061
Yes you can use container managed security still. When you login the container remembers the login name of the user, so if you do a request.getRemoteUser() it will return you the name of the user logged in.

> The problem is, there are other things, such as user preferences, address info, etc that I want to put in a Session Bean.

Where is this data stored? In a database? In a file? What I would do will be to actually have a User object that represents the user. This user object will hold all the relevant user information such as preferences, address info, login name etc and anything else you need. Then upon user login, load this data from where you store them, fill up a User object and add it to the session bean. Your session bean should have an instance variable of type User in order to be able to assing it.

0
 
LVL 1

Author Comment

by:jdoklovic
ID: 11751845
Yes, the user info is in a DB.
Creating a UserBean object is exactly what I want to do.
Problem is, the "upon login" part.

It's my understanding, the Container will send the user to login.jsp whenever the user requests a secured app and is not already authenticated.
Then when the user submits the login form, the container authenticates and then sends the user back to the original resource.
So at this point, I guess I'm unsure where/when to populate the UserBean.

Thanks!
0
 
LVL 35

Accepted Solution

by:
girionis earned 500 total points
ID: 11751942
>It's my understanding, the Container will send the user to login.jsp whenever the user requests a
>secured app and is not already authenticated.
>Then when the user submits the login form, the container authenticates and then sends the user
>back to the original resource.

Yes this is true. When you login and the container redirects you to a page (lets call it firstPage.jsp) in the firstPage.jsp you do a

String loginName = request.getRemoteUser();

and you will have the login name of the user. Then you do a request to the database based on the login name, something like:

SELECT * FROM usersTable WHERE username = 'loginName'

and you will get a ResultSet back. You will have to go through this ResultSet and assign the value of the row you will get back (I am assuming that the username is unique so you will only get a record back) into the user value object you have. Something like:

UserBean ub = new UserBean();
ub.setLoginName(resultSet.getString("loginName"));
ub.setSurname(resultSet.getString("surname"));
...

and so on. After you are done you will have a user represented as a UserBean with all the relevant details.
0
 
LVL 1

Author Comment

by:jdoklovic
ID: 11752418
That makes sense.
So if I have multiple entry points into the app, I have to put this code on every page I'm guessing.

I'm not sure if you can answer this cause I'm guessing it depends on how I write the bean, but can I do something like this in each jsp page:

UserBean ub = new UserBean(request.getRemoteUser());

Then, if the bean already exists in the session for that user just return it, and if not, then do the DB lookup and return the newly populated bean?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 35

Expert Comment

by:girionis
ID: 11759914
> So if I have multiple entry points into the app, I have to put this code on every page I'm guessing.

Yes, you have to put it in every jsp page you want to create the user object.

>I'm not sure if you can answer this cause I'm guessing it depends on how I write the bean, but
>can I do something like this in each jsp page:
>
>UserBean ub = new UserBean(request.getRemoteUser());

Yes you can. The only thing you have to do is to move all the database related code in the UserBean class. The UserBean will be receiving the username, will be connecting to the database, will be getting the result set and will be assigning the values of the ResultSet to its instance variables. And this is the prefered way to do it since you are keeping the JSP page cleaner. Although, if you want to modularize further, you could have a separate bean (lets call it DatabaseBean) that does all the db stuff. By doing this you separate the db logic from the user logic. But for the time beiing it's fine to keep it like this.

>Then, if the bean already exists in the session for that user just return it, and if not, then do >the DB lookup and return the newly populated bean?

Yes, just check the session for the defined value (a good way is to store the bean by using the username's value), for instance:

// Get the session
session = request.getSession();
// Get the bean that corresponds to the user who  has just logged in
UserBean user = (UserBean) session.getAttribute(request.getRemoteUser());
// If UserBean does not exist
if (user == null)
{
    // create a new one
    user = new UserBean(request.getRemoteUser());
}
else
{
    // do other stuff
}

Hope it helps :)

Thank you for accepting also.
0
 
LVL 35

Expert Comment

by:girionis
ID: 11759919
This code:

// create a new one
user = new UserBean(request.getRemoteUser());

coud be (if you want to put it in the session)

// create a new one
user = new UserBean(request.getRemoteUser());
// Put it in the session
session.setAttribute(request.getRemoteUser(), user);
0
 
LVL 1

Author Comment

by:jdoklovic
ID: 11763171
Thanks for all of your help.
0
 
LVL 35

Expert Comment

by:girionis
ID: 11765022
No problem :)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

A Short Story about the Best File Recovery Software – Acronis True Image 2017
We have come a long way with backup and data protection — from backing up to floppies, external drives, CDs, Blu-ray, flash drives, SSD drives, and now to the cloud.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now