tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From LERBSCHER Jean-Pierre <>
Subject RE : Form Based Authentication
Date Wed, 11 May 2005 07:40:04 GMT

If the authentication is realized by the container (the realm), you can't
access the request before the authentication takes over. If you really want
to do it, don't define the security constraint in your web.xml, and make
your own application security mechanism (use filter, and forward or redirect
on login page).

-----Message d'origine-----
De : Wade Chandler [] 
Envoyé : mercredi 11 mai 2005 07:10
À : Tomcat Users List
Objet : Re: Form Based Authentication

Wade Chandler wrote:
> I have form based authentication working.  But, I need the login form to 
> be a little more dynamic.  For instance, I want to use different forms 
> for different areas and not always use the same form.  Is this possible? 
>  For instance, under one site I want to limit URLs to different logins. 
>  I realize I should just have a login and have a userid and a password, 
> but my customer wants to simply have an access code to certain pages or 
> directories.  I would like to use form based authentication then I can 
> have the userid as a hidden variable, and then have a password entered 
> by the user, but for some admin screens I need the user to actually 
> enter the userid and password both....
> I hope that makes sense.  I can't figure out how to setup a security 
> constraint which can force a particular login form to be used if the 
> user is not logged in yet.
> Thanks,
> Wade
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:


So I think I should be able to do this with a filter, but I need some 
help.  Basically it looks like I should be able to use a filter to some 
how get the original target before the authentication form is this correct?  Basically I need to some how know when a 
particular URL pattern is being displayed or is attempted to be 
accessed...before the login form is displayed.  When it is displayed 
I'll set an attribute in the request in the filters doFilter method. 
However, now I need to know how I can access the Request before the 
authentication mechanism takes over I suppose because from my login form 
accessing the getPathInfo() method is returning the login form 
information when I really need to know the actual path the user was 
attempting to access.  So, can I use a filter to do this, and if so how 
do I make sure my filter is called in time to give me the information I 



To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message