tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arieh Markel <Arieh.Mar...@Central.Sun.COM>
Subject login-config handling implementation idea(s)
Date Mon, 14 Feb 2000 17:08:24 GMT
Back to the login-config handling.

I see that the spec relates to having a login-config as specifying the
following elements:

	. auth-method: to configure the authentication mechanism
	. realm-name:  to identify the realm-name that the login-config
		       is associated to
	. form-login-config: to describe the login process
	
I will relate to form-login-config.

The spec indicates that 'form-login-config' includes two elements:

	. form-login-page
	. form-error-page
	
The 'form-login-page' is expected to be provided to the user whenever
access to the login-page has not been carried out during his session.

For example:

	let's say the user wants to access 'http://myserver/fooservlet'

but tomcat has been previously configured with:

	form-login-page:	/login
	form-error-page:	/login_error
	
On receipt of a request, verification will be done that the request is
already associated with an existing session (which may imply that
user authentication has already taken place and/or a session object has 
been created).

If the verification indicates that the user has not gone through the login
screen, then the 'form-login-page' will be presented to him/her.

On successful processing of 'form-login-page', the page that he wanted to
access will be presented.
On failure in processing 'form-error-page' should be presented.

---

Here are the issues that I am finding when considering how to implement this:

a. How one writes 'login' servlets or forms:

   In my experience, my login servlets are usually forms where the
   GET method displays the form, and the POST method performs the
   processing.
   
   Successful POST handling will present the first page in the application.
   
b. How a. maps to the stated in the specification:

   The 'form-login-page' maps to the login servlet that is displayed.
   The 'form-error-page' maps to whatever the login servlet displays when
   error occur on the POST processing.
   
   The 'original-request' is what the POST method performs a display
   (location redirect) following a successful login.
   
I am having a hard time finding a solution that does not include some
LoginServlet base class (perhaps abstract class) that would be able to
dynamically (at run time) direct the successful POST to the previously
issued 'original-request-page'.

Similarly, to dynamically get the 'form-login-page' and 'form-error-page'
from the context.

---

Do you think that such a servlet should be part of the tomcat deliverables,
or just one of the examples ?

What do you think are other possible solutions that would allow to accomplish
what the spec stipulates ?

--

Arieh 	       
--
 Arieh Markel		                Sun Microsystems Inc.
 Network Storage                        500 Eldorado Blvd. MS UBRM11-194
 e-mail: arieh.markel@sun.COM           Broomfield, CO 80021
 Let's go Panthers !!!!                 Phone: (303) 272-8547 x78547
 (e-mail me with subject SEND PUBLIC KEY to get public key)


Mime
View raw message