From: Erik F. <for...@ly...> - 2002-10-09 13:21:22
|
Hi! I'd like to build a Webware application that works like this: 1) User provides a username and a password. 2) Application binds to LDAP using the username and password 3) Application keeps the bound LDAP object through the users session, and destroys it only when the users logs out, or after a timeout. I could store the users' password in the session, but that feels so very wrong - from a security point of view, I dont' want to store the password anywhere if an attacker gains access to the session store. Is this possible using the current sessions? I haven't tested it, I just thought I should ask before putting a lot of time into it :). It just feels like open network connections are hard to pickle, but I can be wrong. If not possible, an alternate solution would be to store the LDAP connection in some kind of pool that's shared between all Servlets in a Context, and then get the right connection using information in the session (it's no problem to store the username, for example, and use that as a key - or some other session id). Any hints on how to implement this? \EF -- Erik Forsberg http://www.lysator.liu.se/~forsberg/ GPG/PGP Key: 1024D/0BAC89D9 |