5.10.8 Notes on API-based implementation
This section contains the notes on the implementation of API-based user authentication.
- Organization of this subsection
(1) Notes on implementing login and logout sessions
When logins and logouts are implemented without using the Subject and when the LoginContext instance created at the time of login is used at the time of logout, logout may fail depending on the login module settings.
Use the Subject when implementing login and logout. The following is an example of the implementation that should be avoided.
-
Login and logout implementation that should be avoided
<% LoginContext lc = new LoginContext("Portal", new WebPasswordHandler(request, response, null, "login.html", true)); try { lc.login(); } catch (LoginException e) { ... } session.setAttribute("loginContext", lc); %> ... <% LoginContext lc = (LoginContext)session.getSession().getAttribute("loginContext"); try { lc.logout(); } catch (LoginException e) { ... } %> ...
Note: The portions that are indicated in bold type and have a background color are implementations that must not be made.
(2) Notes on implementing the sessions to reference and obtain user information
When implementing the sessions to reference and obtain user information, please note that:
-
Changes in the UserAttributes object values are not applied to the repository. The obtained attributes are not modified in the user authentication library.
-
The attributes registered in the UserAttributes object is in the String type only.
-
If no attributes are specified in the attribute list, a null character is assigned.