#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2003
    Posts
    6
    Rep Power
    0

    JSP/Servlet Authorization


    Here is my situation...

    I have developed working authentication process for my webapp. The user must enter their database username and password the first time they log onto the system. This information is then stored in a cookie so they should never have to enter it again.

    My boss now says that he never wants to make the user 'log in' to the webapp. I was wondering if there was a way I could get the username that the client uses for their NT computer (that is the same as their database username on our system)?

    I know how to do all of this using a regular java application but not using a Webapp. The only thing that I can think of is having a small java app run at startup and modify/create the cookie on the clients machine w/ the necessary information. Is there a better way?
  2. #2
  3. No Profile Picture
    Clueless llama
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Feb 2001
    Location
    Lincoln, NE. USA
    Posts
    2,353
    Rep Power
    117
    He wants a browser based app that is available on the internet but does not want to bother with logging in? Typical. If the web server is accessible from the internet, you obviously need to have some sort of protection. If the web app is only available on an intranet, then you might be able to forgo any protection.

    Your idea of modifying the cookie on startup is doable. You will still have protection and the availability of users "on the road" to be able to use the app, but they will be prompted (which is not much of a hardship) when accessing from an 'open' computer.

    Incidentally, persistent cookies are generally not considered a 'safe' way of protecting a web site. All any user has to do to gain access unlawfully is to copy the cookie and place it on another computer somewhere.

    A web app by it's very definition is accessible to the world. If you want global access, but don't want the whole world to be in your stuff, the accepted practice is to have the user log in when they initally enter. It is a necessary evil. However, it is not uncommon for non-technical people to not understand this and want it to work like their 'old' system.

    As far as I know you can't have it both ways. If you want global accessibility, you must log in. If you want to restrict access to only at work, then you can forgo logging in (in some cases).


    EDIT: I reread your post. If all you want is the users name and don't need their password, you can get this from the system using System.getProperty("user.name"). However, you must make the applet a signed applet or you will get a security exception.
    Last edited by Nemi; April 10th, 2003 at 02:19 PM.

IMN logo majestic logo threadwatch logo seochat tools logo