VincentLawlor
asked on
Writing a fairly secure Login
Hi All,
I have been trawling the net looking for a solution to this.
Basically what I need is a means of securing various areas of a site from unauthorised users.
I am not talking about using SSL etc but something fairly rudamentary.
I have done something similar using ASP.
The idea there was the user chould choose to log in and would have access to various areas in this state in the logged out state some of these areas would simply not be accessible.
Login was through a login page
Credentials validated against password values stored in a SQL database as a MD5 hash
If validated then the credentials for this user are stored as an AuthCookie using Forms Authentication.
Does anybody have any examples of how to do something similar using JSP and Servlets possibly even using a session JavaBean?
I have been trawling the net looking for a solution to this.
Basically what I need is a means of securing various areas of a site from unauthorised users.
I am not talking about using SSL etc but something fairly rudamentary.
I have done something similar using ASP.
The idea there was the user chould choose to log in and would have access to various areas in this state in the logged out state some of these areas would simply not be accessible.
Login was through a login page
Credentials validated against password values stored in a SQL database as a MD5 hash
If validated then the credentials for this user are stored as an AuthCookie using Forms Authentication.
Does anybody have any examples of how to do something similar using JSP and Servlets possibly even using a session JavaBean?
^^ that is how I would do it, but it possibly isnt the most secure means of doing so. however, i'm not sure that you could do it another way. short of emulating a session using a database entity, meaning that security would be as safe as your anti-sql-injection? But a slow and awfully ugly way of doing things.
ASKER
It doesn't have to be very secure as it's going to be on an intranet and not exposed to the wider internet audience.
It will also eventally sit behind a Kerberos security layer.
This is really only to allow users with certain roles to access various parts of the site. I am not concerned with hacking.
It will also eventally sit behind a Kerberos security layer.
This is really only to allow users with certain roles to access various parts of the site. I am not concerned with hacking.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You have to realize though that you are pulling security down into the application which isn't a good idea.