tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin HaleBoyes <kcbo...@yahoo.com>
Subject FORM-based login questions
Date Wed, 16 May 2001 18:45:04 GMT
I've managed to get FORM-based login to work but I've got a few questions
regarding
it.  I have an application that has three different roles: customer,
administrator, and retailer.
They will have access to their own part of the overall application - generally,
the customer
will access jsp's and servlets in the /ft/cust resource collection.  Similarly
for the admin
and retailer roles.  My web.xml file contains the following:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Admin Functions</web-resource-name>
            <url-pattern>/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ltadmin</role-name>
        </auth-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Etailer Functions</web-resource-name>
            <url-pattern>/etailer/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ltetailer</role-name>
        </auth-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Customer Functions</web-resource-name>
            <url-pattern>/cust/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ltcust</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/loginerror.jsp</form-error-page>
        </form-login-config>
    </login-config>

My tomcat-users.xml file has the users and roles defined appropriately:

  <user name="lftcust"    password="t"    roles="ltcust" />
  <user name="lftadmin"  password="t"   roles="ltadmin" />
  <user name="lftetail"    password="t"    roles="ltetailer" />


As I said, this is working but I did have a few question.  First, the context
for the
application is /ft and I'm running Tomcat 4.0b3 on a RedHat linux 6.2 box.

You'll notice that the "root" of the application is not protected so if a
browser is pointed
to http://localhost:8080/ft/index.jsp it is served up without a
username/password prompt.
If I try to go to the /ft/cust/index.jsp URL then my login.jsp form is
presented (user logs
in and is redirected to the /ft/cust/index.jsp location).

If I access the URL http://localhost:8080/ft/login.jsp  directly, right from
the start, I get
the login form presented.  If I login with a correct username and password I
get the 
following error displayed in my browser window:
    HTTP Status 400 - Bad Request
and the URL is:
    http://localhost:8080/ft/j_security_check

It's almost like the FORM authentication handler doesn't know where to go after
the
login suceeds.  Is there anything I can do about this?  The Java Servlet
Specification 2.3
document doesn't describe how this should be handled.

Along a similar line.  Say my /ft/index.jsp page has a link to login
(/ft/login.jsp) and a
user takes it.  Once the user is authenticated, how can I direct them to a
particular
page (as the next page from the login form)?

Another question.  How do I logout?  What I do right now is have a logout.jsp
page 
that calls
    <% session.invalidate(); %>
but is this the proper way of achiving a logout?

Yet another question.  I would like to attach some information (ie, an instance
of a Java
class) to the session once the user is authenticated.  It will contain things
like the user
id and name from the database.  Is there any way of doing this?  I suppose I
could have
code in all my servlets and jsp files that builds the instance and attaches it
to the session
if getRemoteUser() returns not-null and the session information isn't bound. 
This is
tedious though and requires duplicated code in every servlet or jsp that
follows a login.
Again, I don't see anything in the Servlet spec.  Actually, I consider this to
be a bit of
a short-coming (if you can't do it) in the servlet spec.

Thanks for the help,
Kevin.



____________________________________________________________
Do You Yahoo!?
Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
or your free @yahoo.ie address at http://mail.yahoo.ie

Mime
View raw message