tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: FormBased Authentication properties
Date Fri, 09 Feb 2001 00:42:00 GMT

Johnson Lim wrote:

> Hello,
> I have tried to using formbased authentication, i have several question on
> it (please help):
> 1. Do the authentication is set to use "j_securitycheck" ? How can we change
> it ?

It is actually "j_security_check".  And no, you cannot change it, because it is
required by the servlet specification to have this value.

>  since I don't see any parameter to set on redirect page name (do it
> must index.html/jsp) can we redirect to other pages after the authetication
> ?

You don't set the "redirect page" at all.

The whole idea of form based authentication is that it works like this:
* You ask for a URL that happens to be protected by a security constraint.
* The server sees that you have not authenticated yet, so it
  saves your original request and shows you the form login page
* After you log in successfully, the server restores your *original*
  request and executes it, giving you the page that you originally
  asked for.

Thus, you will never need to explicitly refer to your login page (from other
pages in your app at all).  The server will automatically use it whenever

> 2. Where should I change if i want to get out the roles info (as session)
> for my future need info?

What information are you trying to acquire?

If a user has been authenticated, you can call request.getRemoteUser() to get
the authenticated username, or request.isUserInRole() to see if the current user
is in a particular role.  For example, you might be building a menu JSP page,
and want to include a certain set of menu options only if the current user is a
manager.  You can do something like this:

    <% if (request.isUserInRole("manager")) { %>
        ... show the manager menu options
    <% } %>

If you use roles to protect access to complete pages (in a security constraint),
you don't need to do anything at all in your pages -- the server will
automatically disallow access to users who are not authenticated, or who do not
possess the correct role.

Note that all of this stuff works the same for BASIC authentication as well.

> Thanks for the help.
> Regards
> Johnson

Craig McClanahan

View raw message