Date: Mon, 9 Mar 1998 15:10:47 -0800
From: David.Brownell@Eng (David Brownell)
Message-Id: <199803092310.PAA10112@argon.eng.sun.com>
To: java-security@web1.javasoft.com, mick_dalton@hotmail.com
Subject: Re: login to webserver
> X-Originating-IP: [193.150.166.50]
> From: "Mick Dalton" <mick_dalton@hotmail.com>
> To: java-security@web1.javasoft.com
> Date: Wed, 04 Mar 1998 05:22:53 PST
>
> I'm relatively new to java and I'm on my way to write my first servlet
> application for an intranet. Happily I've got much C++ experience. But
> Java attracts me more and more because of the portability and a much
> easier handling. My question is how I can implement an user
> identification and authentisation via an applet which communicate with
> my servlet.
There are lots of ways to do this. The simplest is to put the
applet on a web page which is protected using the access control
lists in your web server ... the browser will pop up a simple
authentication dialog (username and password), and the servlet
will get access to that username if the authentication was done
correctly. That is, don't involve the applet in security at all.
Other methods involves managing your own user database, and having
a login interaction using HTTP/HTML. That approach tends to be a
lot more flexible in terms of look (use your site's custom logos,
diagnostics, etc) and feel (do you want to offer an enrollment
facility or a way to recover from users forgetting passwords) as
well as authentication protocols (token cards, OTP or S/Key, SSL
client authentication, etc).
In your case it sounds like you've got your existing user database
to deal with, and you could live with connecting to it through HTTP
(no customized look and feel, or authentication protocol).
If you're using the Java Web Server, you can implement a custom
"Realm" (a brief tutorial is available on this topic through the
http://java.sun.com/products/java-server website) and leverage HTTP
authentication.
- Dave
> My application is in charge with reporting of sensitive data
> thus I want urge the user to logon before untertake any action. I've
> only heard of sockets, threads, encryption(but without descryption),
> cookies but I can't bring them all together. I would be very grateful if
> you could provide me a strategic concept and several code samples.
> The way I thought of is the following: Call my servlet first (e.g.
> "servlet?action=welcome") then the servlet post an login applet to the
> browser which asks for user id and password. Having finished the applet
> encrypts and returns the authentication string to my servlet which
> checks it. But consider that I don't want to protect my servlet since
> the user id and password are managed on a host environment. To verify
> the password I have to establish a JDBC connect to the host!
> I hope my question is specified enough to be able to answer. I would be
> very very happy if you could help me. Many thanks in advance.
> Best regards.
> Mick Dalton
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
>