I'd like to build a Webware application that works like this:
1) User provides a username and a password.
2) Application binds to LDAP using the username and password
3) Application keeps the bound LDAP object through the users session,
and destroys it only when the users logs out, or after a timeout.
I could store the users' password in the session, but that feels so
very wrong - from a security point of view, I dont' want to store the
password anywhere if an attacker gains access to the session store.
Is this possible using the current sessions? I haven't tested it, I
just thought I should ask before putting a lot of time into it :). It
just feels like open network connections are hard to pickle, but I can
If not possible, an alternate solution would be to store the LDAP
connection in some kind of pool that's shared between all Servlets in
a Context, and then get the right connection using information in the
session (it's no problem to store the username, for example, and use
that as a key - or some other session id). Any hints on how to
Erik Forsberg http://www.lysator.liu.se/~forsberg/
GPG/PGP Key: 1024D/0BAC89D9