[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: User registration/authentication
See my comments in text..
2007/4/3, sergey@total-knowledge.com <sergey@total-knowledge.com
>:Ok, to resume:
1. The very first operation during request proccessing will be
getConnection() con_1 without login/password.
login() proc will be called with empty login or will not be called at all.
I prefer second option since in both cases session_info won't have any
records, and therefore it won't be any access to privileged tables.
Ok by me.
2. con_1 is used for checking if user logged-in using userid that is
stored in HttpSession after successful login/registration.
2-1. User not-logged-in.
2-1-1. There is no DB operation on this servlet that requires
authentication.
2-1-1-1. con_1 released after DB communication job is done. logout()
proc is not called.
It is preferable to call logout() proc on _any_ connection release. That guarantees us from re-using unauthenticated connections.
2-1-2. There is a DB operation on this servlet that requires
authentication.
2-1-2-1. User redirected to login. con_1 released, logout() proc is not
called.
Same as above.
2-2. User logged-in.
2-2-1. con_1 is used for getting login, password, server from DB using
userid from HttpSession.
2-2-2. con_1 released. logout() proc is not called.
2-2-3. Call getConnection(login, password,..) which returns con_2.
login() proc called with login/password.
2-2-4 con_2 released after DB communication job is done. logout() proc
is called.
Ok by me.
Regarding steps 2-1-1. and 2-1-2.
If the DB operation needs authentication, it will return 'access denied'
code.
Actually, you should get an exception for incorrect user name or password. I'm currently making the corrections to allow an empty username.
Please comment.
--
Alexey Parshin,
http://www.sptk.net