Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 33816 invoked from network); 8 Feb 2001 19:42:30 -0000 Received: from host091107.metrored.net.ar (HELO TyC?Digital?Mail?Server) (200.49.91.107) by h31.sny.collab.net with SMTP; 8 Feb 2001 19:42:30 -0000 Received: from hqp2w2kdtpn2 [172.17.13.47] by intranet.tycdigital [172.17.13.2] with SMTP (MDaemon.v3.5.0.R) for ; Thu, 08 Feb 2001 16:42:58 -0300 Message-ID: <00c101c09207$5553b730$2f0d11ac@hqp2w2kdtpn2> From: "Carlos Pita" To: Subject: Login Form & Authentication Date: Thu, 8 Feb 2001 16:42:55 -0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00BE_01C091EE.2FF73CF0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-MDRemoteIP: 172.17.13.47 X-Return-Path: cpita@tycdigital.com X-MDaemon-Deliver-To: tomcat-dev@jakarta.apache.org Reply-To: cpita@tycdigital.com X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N ------=_NextPart_000_00BE_01C091EE.2FF73CF0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi! I'm working in a project using servlets (with Tomcat 3.2) and I have = a question regarding the security mechanisms described in servlet 2.2 = spec and how to integrate them with other aspects of the application = than login (for example, registration). More specifically, the = application offers a registration form in the home page (nothing new = here) and a registration form in the same page as the login form, which = should be showed when a resource declaratively marked as secure is being = accessed (nothing new here). So, for my surprise, I see no way to solve = the next 2 problems inside the 2.2 spec (I'm using FORM authentication): 1) in the registration form in the home page there is no concept of = a secured page to go once registered, but the user should still be = logged, so if I call j_security_check it's not defined what would happen = (and the solution is really dirty); 2) in the registration form in the login page, if the user choose = the registration way, the form can't be directly submited to = j_security_check because his/her information should be saved before = being completely lost. I wanted to be standard, 2.2 standard! But instead I ended reading = Tomcat request interceptors sources. Still I'm looking for a clean = solution. I obviously should set the session j_username and j_password = directly and this doesn't seem very portable. If I do that and then move = my servlets to other container than Tomcat nasty things could happen. I = think I would need to get the sources again (if available) or to program = all the security stuff by myself (idea!: using j_username and j_password = in the session to reuse my 6 lines of code). I can't believe than = servlet spec doesn't provide an API to authenticate the user. I'm urged to know: 1) Is there a better solution? 2) If not, will the solution I proposed work? Thank you Carlos ------=_NextPart_000_00BE_01C091EE.2FF73CF0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi!
 
    I'm working in a = project using=20 servlets (with Tomcat 3.2) and I have a question regarding the = security=20 mechanisms described in servlet 2.2 spec and how to = integrate them=20 with other aspects of the application than login (for example,=20 registration). More specifically, the application offers a registration = form in=20 the home page (nothing new here) and a registration form in the same = page as the=20 login form, which should be showed when a resource = declaratively=20 marked as secure is being accessed (nothing new here). So, for my = surprise, I=20 see no way to solve the next 2 problems inside the 2.2 spec = (I'm using=20 FORM authentication):
    1) in the = registration form in=20 the home page there is no concept of a secured page to go once = registered, but=20 the user should still be logged, so if I call j_security_check it's not = defined=20 what would happen (and the solution is really dirty);
    2) in the = registration form in=20 the login page, if the user choose the registration way, the = form can't be=20 directly submited to j_security_check because his/her information = should be=20 saved before being completely lost.
    I wanted to be = standard, 2.2=20 standard! But instead I ended reading Tomcat request interceptors = sources. Still=20 I'm looking for a clean solution. I obviously should set the = session=20 j_username and j_password directly and this doesn't seem very portable. = If I do=20 that and then move my servlets to other container than Tomcat nasty = things could happen. I think I would need to get the sources again = (if=20 available) or to program all the security stuff by myself (idea!: using=20 j_username and j_password in the session to reuse my 6 lines of code). I = can't=20 believe than servlet spec doesn't provide an API to authenticate the=20 user.
    I'm urged to=20 know:
    1) Is there a = better=20 solution?
    2) If not, will the = solution I=20 proposed work?
 
    Thank = you
       =20 Carlos
------=_NextPart_000_00BE_01C091EE.2FF73CF0--