tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carlos Pita" <cp...@tycdigital.com>
Subject Login Form & Authentication
Date Thu, 08 Feb 2001 16:21:08 GMT
Hi!

    I'm working in a project using servlets (with Tomcat 3.2) and I have a question regarding
the security mechanisms described in servlet 2.2 spec and how to integrate them with other
aspects of the application than login (for example, registration). More specifically, the
application offers a registration form in the home page (nothing new here) and a registration
form in the same page as the login form, which should be showed when a resource declaratively
marked as secure is being accessed (nothing new here). So, for my surprise, I see no way to
solve the next 2 problems inside the 2.2 spec (I'm using FORM authentication):
    1) in the registration form in the home page there is no concept of a secured page to
go once registered, but the user should still be logged, so if I call j_security_check it's
not defined what would happen (and the solution is really dirty);
    2) in the registration form in the login page, if the user choose the registration way,
the form can't be directly submited to j_security_check because his/her information should
be saved before being completely lost.
    I wanted to be standard, 2.2 standard! But instead I ended reading Tomcat request interceptors
sources. Still I'm looking for a clean solution. I obviously should set the session j_username
and j_password directly and this doesn't seem very portable. If I do that and then move my
servlets to other container than Tomcat nasty things could happen. I think I would need to
get the sources again (if available) or to program all the security stuff by myself (idea!:
using j_username and j_password in the session to reuse my 6 lines of code). I can't believe
than servlet spec doesn't provide an API to authenticate the user.
    I'm urged to know:
    1) Is there a better solution?
    2) If not, will the solution I proposed work?

    Thank you
        Carlos

Mime
View raw message