tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: getting a jsp file to always be executed on form-based authentification
Date Mon, 18 Dec 2000 18:52:38 GMT
Joakim Verona wrote:

> hello,
>
> i would like a certain jsp file to always be executed when form based auth succeeds,
regardless of which
> resource we are trying to get at, something like an event-handler for the auth event.
>
> i cant really find a provission for such a function, other than having some session variable
> to check against, and including the same piece of code in every page.
>
> This is doable, but is there any more elegant solution?
>

Doing this goes quite a lot against the intent of what form-based authentication is all about.

Have you ever gone to a website with a protected area, where it popped up the username/password
dialog box?
(In other words, you were using BASIC authentication).  What happens is that you type in your
username/password and then you are sent to whatever page you originally requested.

Form based login is supposed to work exactly like that.  The first time you try to access
a page that is
protected by a security constraint, the servlet container will save your original request
and present the
login page to you.  Then, when you are successfully authenticated, your *originally* requested
page is
displayed.

You will be able to tell whether the user is authenticated or not by checking the values returned
by
request.getRemoteUser() and request.getUserPrincipal().

>
> I will need to make my own security interceptor at some stage. Should I take care of
this need in
> the interceptor?
>
> --
> Joakim Verona
> joakim@verona.se
> http://www.verona.se/

Craig McClanahan



Mime
View raw message