[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: User registration/authentication
Ok, to resume:
1. The very first operation during request proccessing will be
getConnection() con_1 without login/password.
login() proc will be called with empty login or will not be called at all.
I prefer second option since in both cases session_info won't have any
records, and therefore it won't be any access to privileged tables.
2. con_1 is used for checking if user logged-in using userid that is
stored in HttpSession after successful login/registration.
2-1. User not-logged-in.
2-1-1. There is no DB operation on this servlet that requires
authentication.
2-1-1-1. con_1 released after DB communication job is done. logout()
proc is not called.
2-1-2. There is a DB operation on this servlet that requires
authentication.
2-1-2-1. User redirected to login. con_1 released, logout() proc is not
called.
2-2. User logged-in.
2-2-1. con_1 is used for getting login, password, server from DB using
userid from HttpSession.
2-2-2. con_1 released. logout() proc is not called.
2-2-3. Call getConnection(login, password,..) which returns con_2.
login() proc called with login/password.
2-2-4 con_2 released after DB communication job is done. logout() proc
is called.
Regarding steps 2-1-1. and 2-1-2.
If the DB operation needs authentication, it will return 'access denied'
code.
Please comment.