tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin HaleBoyes <>
Subject FORM-based login questions
Date Wed, 16 May 2001 18:45:04 GMT
I've managed to get FORM-based login to work but I've got a few questions
it.  I have an application that has three different roles: customer,
administrator, and retailer.
They will have access to their own part of the overall application - generally,
the customer
will access jsp's and servlets in the /ft/cust resource collection.  Similarly
for the admin
and retailer roles.  My web.xml file contains the following:

            <web-resource-name>Admin Functions</web-resource-name>

            <web-resource-name>Etailer Functions</web-resource-name>

            <web-resource-name>Customer Functions</web-resource-name>


My tomcat-users.xml file has the users and roles defined appropriately:

  <user name="lftcust"    password="t"    roles="ltcust" />
  <user name="lftadmin"  password="t"   roles="ltadmin" />
  <user name="lftetail"    password="t"    roles="ltetailer" />

As I said, this is working but I did have a few question.  First, the context
for the
application is /ft and I'm running Tomcat 4.0b3 on a RedHat linux 6.2 box.

You'll notice that the "root" of the application is not protected so if a
browser is pointed
to http://localhost:8080/ft/index.jsp it is served up without a
username/password prompt.
If I try to go to the /ft/cust/index.jsp URL then my login.jsp form is
presented (user logs
in and is redirected to the /ft/cust/index.jsp location).

If I access the URL http://localhost:8080/ft/login.jsp  directly, right from
the start, I get
the login form presented.  If I login with a correct username and password I
get the 
following error displayed in my browser window:
    HTTP Status 400 - Bad Request
and the URL is:

It's almost like the FORM authentication handler doesn't know where to go after
login suceeds.  Is there anything I can do about this?  The Java Servlet
Specification 2.3
document doesn't describe how this should be handled.

Along a similar line.  Say my /ft/index.jsp page has a link to login
(/ft/login.jsp) and a
user takes it.  Once the user is authenticated, how can I direct them to a
page (as the next page from the login form)?

Another question.  How do I logout?  What I do right now is have a logout.jsp
that calls
    <% session.invalidate(); %>
but is this the proper way of achiving a logout?

Yet another question.  I would like to attach some information (ie, an instance
of a Java
class) to the session once the user is authenticated.  It will contain things
like the user
id and name from the database.  Is there any way of doing this?  I suppose I
could have
code in all my servlets and jsp files that builds the instance and attaches it
to the session
if getRemoteUser() returns not-null and the session information isn't bound. 
This is
tedious though and requires duplicated code in every servlet or jsp that
follows a login.
Again, I don't see anything in the Servlet spec.  Actually, I consider this to
be a bit of
a short-coming (if you can't do it) in the servlet spec.

Thanks for the help,

Do You Yahoo!?
Get your free address at
or your free address at

View raw message