tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: About Form-Login-Config
Date Sat, 11 Nov 2000 00:55:18 GMT
Arieh Markel wrote:

> I am reading the (2.3) spec and am realizing that I am not able to
> share a login page with multiple contexts.

That's true (also true for servlet 2.2).

> In our (embedded) use of Tomcat, we have different contexts, but
> we use a single login form/screen.
> When configuring the web.xml for those contexts, I realize that there is
> no way to have a successful form-login-page without it belonging to the
> same context.
> In our case, the login form is actually a servlet that belongs to the
> default context.
> I was hoping to be able to point at that (default context /login)
> servlet from the other contexts.
> One of the solutions could be to define a /login (the same) servlet
> on all the various contexts.
> (I will mention that I am defining my contexts as 'trusted').
> (Another note: I am using 3.2)
> If I do what mention in the last paragraph, I will end up with having
> three different instances of the login servlet, right ?

Yes, assuming you have three contexts.

But that isn't going to be the worst of it -- a user's identity does not
propogate across web apps either, so a user that is using all three contexts
will have to authenticate themselves to all three web apps.

> ------
> An alternate approach could be to define 'login.html' files in those
> contexts, and to have that file perform a Location redirect to the
> default-context /login servlet.

Won't that cause the user to log in only to the default context?

> ------
> I am wondering about the reasons that may have forced the definition
> of a context-relative login-form as opposed to allowing a URL to be
> specified.

The reasoning for this was the same as the reasoning for everything else in
a web-app being context relative.  The whole idea is that a web application
should be a stand alone entity, able to be deployed on *any* server that
supports the required API levels, without external dependencies.

The "escape valve" for cross-app authentication that the servlet spec
provides is the notion of supporting "single sign on" (Servlet 2.2, section
11.6, and Servlet 2.3 PFD, section 12.6).  The basic idea is that a user
authenticates himself or herself to the first app in which they try to
access a protected page, and then this identity is remembered across all the
other apps running in the same server.

Unfortunately for your particular requirements :-(, none of the Tomcat 3.x
versions support this feature -- although Tomcat 4.0 does.

> Arieh

Craig McClanahan

View raw message