tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From footh <fo...@yahoo.com>
Subject Re: Form-based login question - explicit login
Date Fri, 05 Nov 2004 22:16:12 GMT
>From what I gather, you are not using the built-in
forms-based authentication?  I'd like to stick with it
for now but will consider other options as I add more
functionality.


--- Jonathan Wilson <jnwilson@dallas.photronics.com>
wrote:

> There's probably a much better way, but I like the
> fine-grained approach 
> I use. Unfortunately(or
> fortunately) it requires *every* page you want
> access controlled to have 
> a <jsp:include> tag. The
> included jsp file checks a session variable to
> determine if the user is 
> logged in, and whether or
> not their 'role' is sufficient(my app-defined roles,
> not to be confused 
> with the role mechanism
> contained within Tomcat itself) to access the
> resource - so the 
> jsp:included page either forwards them to login
> page,
> notifies them they don't have the necessary
> priviledges, or lets them 
> pass through. For the proper jsp:forward after the
> user successfully logs in (or if s/he already has
> the proper perms) I 
> just check a calling parameter which I set from the
> original calling 
> page(which is properly URL encoded) and jsp:forward
> the user to that 
> resource. You should check for null forwarding
> parameters in case
> the access controlled page doesn't actually set it's
> forward address 
> properly(well worth your time). Probably a confusing
> process, but it makes sense to me! ..and it's
> working on a large-scale 
> in-house production app - their are performance
> issues I'm sure
> if your considering a super-large deployment.
> 
> If anybody has a better/quicker solution I'm
> interested.
> 
> --JW
> 
> 
> footh wrote:
> 
> >I have a quick question regarding Tomcat's
> form-based
> >login.  I have it working fine for pages that are
> >listed as protected.  For ex, if a user hits a
> >protected page, they are redirected to a login
> page,
> >we'll call it "login_required" that says the
> requested
> >resource requires a login.  If they fail the login,
> >the error page, we'll call "login_invalid", appears
> >which looks just like the login_required page
> except
> >it says invalid login, please try again.  If the
> user
> >logs in correctly on any of these pages, they are
> >redirected to the original protected page.  This
> works
> >great.
> >
> >But, the user can explicitly log in by clicking on
> a
> >"log in" link everywhere on the site.  I have a an
> >idea of how to do this, but I have a couple of
> >questions regarding this idea.
> >
> >I was going to create a "login_dummy" page, a
> >protected page that is the source of all the
> "login"
> >links throughout the site.  When this page is hit,
> the
> >whole forms-based login process will occur.  When
> the
> >user finally authenticates, the login_dummy page
> will
> >just redirect them to the home page.
> >
> >The questions I have are 1) I would really like to
> >direct the user to the page they were on when they
> >clicked the "login" link.  I can't figure out how
> to
> >do that.  And 2) This method requires that I use
> the
> >"login_required" page described above (the form
> >attached to the form-based login) which will
> contain
> >text like "the requested resource requires a login,
> >etc, etc."  When they click on a login link, they
> >aren't accessing a protected resource, they are
> just
> >logging in.  So, I really need a different login
> page
> >(or just different introductory text).  However, I
> >don't know how to differentiate that I'm coming
> from a
> >direct login link.
> >
> >The latter issue isn't a big deal, I could always
> just
> >use a generic login page.  Anyway, does anyone have
> >any ideas of how I might be able to implement this?
> >
> >Thanks,
> >
> >JF
> >
> >
> >		
> >__________________________________ 
> >Do you Yahoo!? 
> >Check out the new Yahoo! Front Page. 
> >www.yahoo.com 
> > 
> >
> >
>
>---------------------------------------------------------------------
> >To unsubscribe, e-mail:
> tomcat-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail:
> tomcat-user-help@jakarta.apache.org
> >
> >
> >  
> >
> 
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> tomcat-user-help@jakarta.apache.org
> 
> 



		
__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com 
 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message