tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John de la Garza" <jdelaga...@designinsites.com>
Subject RE: formbased security
Date Mon, 04 Dec 2000 19:44:40 GMT
Thanks!

You've been super helpful, just wanted to let you know I really appreciate
it and have got alot out of your quick responses!  I normally don't get
support this good, even we it is billed at $100 a question.

-----Original Message-----
From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
Sent: Monday, December 04, 2000 11:04 AM
To: tomcat-user@jakarta.apache.org
Subject: Re: formbased security


John de la Garza wrote:

> What I meant was how can I never have them see the tomcat login...I want
to
> validate the manually from my own code?
>
> I have a web based app that the user must log into...I want log the user
in
> to tomcat once they are logged into to application.
>
> What I meant about being asked twice was that they would be asked to login
> to my app...then asked once to log into tomcat's thing..
>

If you want the user to experience a single login, you need to choose one
approach or the other -- either have your application do it all, or have
Tomcat
do it all.

In the former case, your application would need to do it's own checking (on
every request) that the user is still logged in, and redirect them to the
login
page if needed.  You would not have an <security-constraint> or
<login-config>
entries in your web.xml file.

For Tomcat-managed security, you would install such directives, and set up
your
users and roles appropriately (by default in the "conf/tomcat-users.xml"
file).
You can customize the look and feel of the login page if you choose
form-based
authentication.  See the servlet specification
<http://java.sun.com/products/servlet/download.html> for more information on
this.

Craig McClanahan




Mime
View raw message