I needed to quickly roll out a small security framework for an app at work. Since it’s a security framework, it must have at the minimum:
- User Management – add/edit/delete users for administrators and change password for users.
- Authentication – establish identity of a user by getting user credentials typically via a login page.
- Authorization – establish if an authenticated user is allowed access to a resource.
For user management, I cheated and decided to have ActiveDirectory handle it. System administrator can add/edit/delete users using Windows admin console and users can change their passwords via ctrl+alt+delete.
For authentication, I made login.jsp and loginhandler.jsp. loginhandler.jsp uses authenticates against ActiveDirectory and, when authenticated, forwards the user to the previously requested URI. This URI was saved by the authorization filter.
Ahmed Hammad provided the reference code for authenticating against an ActiveDirectory server.
For the authorization check. Every time a user accesses a certain resource, we check if he is allowed access to that resource’s URI. If he is authorized, he is allowed to continue on to the resource.
Michael Klaene provided the reference code for the authorization filter.
And that was all there is to it.
Next, I’m thinking of using j_security_check if it has no platform-dependency issues.
pageEncoding=”ISO-8859-1″%>
<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN” “http://www.w3.org/TR/html4/loose.dtd”>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=ISO-8859-1″>
<title>Login</title>
</head>
<body>
<b>Login</b><br>
<form method=”POST” action=”<%=request.getContextPath()%>/loginhandler.jsp”>
Username: <input type=”text” name=”username”/><br/>
Password: <input type=”password” name=”password”/><br/>
<input type=”submit” value=”Login!”/>
</form>
</body>
</html>