Should I have: 1) A login bean that stores the username and password inputted from the login form, and 2) A servelet that retrieves details from the bean and the data开发者_StackOverflow社区base to validate user details
Flow of events could be something like this: login.jsp (View) -> loginbean (model) -> mySQLservelet
Am I thinking right? :P
Typically a Java EE Web application delegates the security to the containers. So you declare that your application's resources (URLs) require authorrisation (this URL can be accessed by these roles) then when you deply the app you associate users and groups with those roles.
The application server will then be associated with some user registry (LDAP, Operating System, simple text file or whatever) and when the user attempts to access the URL they get challenged and their authorisation then checked. You don't need to write any code.
This established a security context which can be flowed elsewhere (for example into an EJB), and if you do need to do finer grained authorisation checks you can access the user's principal information in your code.
精彩评论