tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fernando Padilla <f...@interdimensions.com>
Subject Re: FormBased Authentication properties
Date Fri, 09 Feb 2001 04:00:53 GMT

This might seem as pestering, but how do we setup user and role
definitions for tomcat to authenticate against?  I tried looking through
the Tomcat Documentation, but maybe I didn't try hard enough.

fernando


On Thu, 8 Feb 2001, Craig R. McClanahan wrote:

>
>
> Johnson Lim wrote:
>
> > Hello,
> >
> > I have tried to using formbased authentication, i have several question on
> > it (please help):
> >
> > 1. Do the authentication is set to use "j_securitycheck" ? How can we change
> > it ?
>
> It is actually "j_security_check".  And no, you cannot change it, because it is
> required by the servlet specification to have this value.
>
> >  since I don't see any parameter to set on redirect page name (do it
> > must index.html/jsp) can we redirect to other pages after the authetication
> > ?
> >
>
> You don't set the "redirect page" at all.
>
> The whole idea of form based authentication is that it works like this:
> * You ask for a URL that happens to be protected by a security constraint.
> * The server sees that you have not authenticated yet, so it
>   saves your original request and shows you the form login page
> * After you log in successfully, the server restores your *original*
>   request and executes it, giving you the page that you originally
>   asked for.
>
> Thus, you will never need to explicitly refer to your login page (from other
> pages in your app at all).  The server will automatically use it whenever
> necessary.
>
> >
> > 2. Where should I change if i want to get out the roles info (as session)
> > for my future need info?
> >
>
> What information are you trying to acquire?
>
> If a user has been authenticated, you can call request.getRemoteUser() to get
> the authenticated username, or request.isUserInRole() to see if the current user
> is in a particular role.  For example, you might be building a menu JSP page,
> and want to include a certain set of menu options only if the current user is a
> manager.  You can do something like this:
>
>     <% if (request.isUserInRole("manager")) { %>
>         ... show the manager menu options
>     <% } %>
>
> If you use roles to protect access to complete pages (in a security constraint),
> you don't need to do anything at all in your pages -- the server will
> automatically disallow access to users who are not authenticated, or who do not
> possess the correct role.
>
> Note that all of this stuff works the same for BASIC authentication as well.
>
> >
> > Thanks for the help.
> >
> > Regards
> > Johnson
> >
>
> Craig McClanahan
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-user-help@jakarta.apache.org
>


Mime
View raw message