Principal object. The
Principal object contains little information beyond the username
(available with the getName method). So, the main reason for using
getUserPrincipal in lieu of getRemoteUser is to be compatible
with preexisting security code (the Principal class is not specific to
the servlet and JSP API and has been part of the Java platform since
version 1.1). If no user is currently authenticated, getUserPrincipal
returns null.
It is important to note that this type of programmatic security does not negate the
benefits of container-managed security. With this approach, you can still set up usernames,
passwords, and roles by using your server??™s mechanisms. You still use the
login-config element to tell the server whether you are using form-based or
BASIC authentication. If you choose form-based authentication, you still use an
HTML form with an ACTION of j_security_check, a text field named
Chapter 4 ?– Programmatic Security 182
j_username, and a password field named j_password. Unauthenticated users are
still automatically sent to the page containing this form, and the server still automatically
keeps track of which users have been authenticated. You still use the
security-constraint element to designate the URLs to which the access
restrictions apply. You still use the user-data-constraint element to specify
that certain URLs require SSL. For details on all of these topics, see Section 3.
Pages:
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229