tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jan Agermose" <...@agermose.dk>
Subject Re: Form auth
Date Fri, 01 Nov 2002 09:18:17 GMT
Im used to work in a different way - not using declarative security. Might
be the real problem :-) It seams, that this decleartive security thing is
good for resources that are allways protected or not. My pages are mostly
partly secured in that all users can access some page but some items on the
page are displayed only if the user is logged in. Or a page that is
displayed in a context. In one context it is OK to see the page and
depending on some parameter (the context) it might not be ok. Runtime
checked security. I really need to have the user login at will not foreced -
but allso foreced of cause. This idea of a button and a fake-secured-page
that forces a login prompt. I really want a loginform on the frontpage. I
dont want the user to have to klik a button only to get to the loginscreen
af submit that one. I cannot change a design just because of a "design flaw"
in the backend code ;-) I really should be possible to submit login
information on free will.

Allso what You described below seams to be exacly what is allready
implementet in formauth method?

Jan


----- Original Message -----
From: "Alfonso Martinez" <trilock@linuxcenter.com.mx>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Sent: Friday, November 01, 2002 6:00 AM
Subject: Re: Form auth


> One way to do this is to create a filter for the protected resources. When
accessing them, the filter gets invoked. It checks on the session wheter the
user has already logged in or not. If not, it redirects to the login page
which in turn redirects to the protected resouce. What do you guys think
about this approach???
>
> Jose Alfonso
>
> On Thu, Oct 31, 2002 at 10:19:16AM -0800, Craig R. McClanahan wrote:
> >
> >
> > On Thu, 31 Oct 2002, Jan Agermose wrote:
> >
> > > Date: Thu, 31 Oct 2002 17:15:08 +0100
> > > From: Jan Agermose <jan@agermose.dk>
> > > Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> > > To: 'Tomcat Users tomcat <tomcat-user@jakarta.apache.org>
> > > Subject: Form auth
> > >
> > > I would like to use formbased auth for my application, but it seams,
that it is based on
> > >     1. user trying to access som resource
> > >     2. if not logged in - prompt
> >
> > That's correct.  From the user point of view, it operates exactly like
> > BASIC authentication does (where the browser pops up the login dialog
the
> > first time you ask for a protected resource).
> >
> > >
> > > This is of cause good. But usualy you have a webpage that has a
> > > login-form somewhere on the page to allow the user to log in at will.
> > > Log in -before- a secured page is requested. How can I implement this?
I
> > > find only methods to getRemoteUser and isInRole and... no
setRemoteUser
> > > or the like...
> > >
> >
> > You won't be able to have the login form itself on the unsecured page,
but
> > you can easily provide a "Log In" button (say, on your home page) like
> > this:
> >
> > * Make the log in button link to a resource in a protected directory
> >
> > * Make that resource just do a redirect back to the home page
> >
> > When the user clicks the log in button, the form based login page gets
> > displayed (because the resource is protected).  After login is complete,
> > Tomcat then executes the protected resource, which redirects back to the
> > home page with the user being logged on already.
> >
> > > Am I making sense :-)
> > >
> > > Jan
> >
> > Craig
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>
> >
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message