-----Original Message-----
From: Jason Chaffee [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 12, 2001 4:20 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Form-based AuthenticationHi Matt and Abraham,
I would like to know why you say that you need to specify a login-form that does not have j_security-check as its action?
I am using this as the action and using Struts action classes to do the login?
-----Original Message-----
From: Abraham Kang [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 12, 2001 4:25 PM
To: [EMAIL PROTECTED]
Subject: RE: Form-based Authentication
Hi Matt,
I have done this successfully with WebLogic 6.0 and 5.1 and JRun 3.1.
Here is what I learned.
If you need to do login preprocessing you will need to specify a
login-form that does not have j_security_check as its action. This login
form will submit to non-secured servlet. This servlet will do the
pre-processing and then forward the j_username and j_password to
j_security_check.If you need post authentication routines then you will have to sniff the
session attribute that the requested URL was stored under. In WebLogic this
is "_wl_formauth_url". When they get to the login page you will need to
replace this attribute("_wl_formauth_url") with the post-processing servlet
URL. At the same time you will need to store the original value of session
attribute ("_wl_formauth_url") to some other key in the session that the
post-processing servlet can use to redirect the user to their desired url
after post processing.Hope This Helps,
Abraham> -----Original Message-----
> From: Matt Raible [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 12, 2001 3:14 PM
> To: [EMAIL PROTECTED]
> Subject: Form-based Authentication
>
>
> Has anyone implemented form-based authentication and Struts as defined by
> the J2EE Blueprints?
>
> http://java.sun.com/j2ee/blueprints/packaging_deployment/descripto
> rs/index.h
> tml#1035772
>
> If so, any lessons learned from the appserver you deployed in?
>
> Thanks,
>
> Matt
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
Title: RE: Form-based Authentication
Hi
Jason,
I should have been clearer.
The only time that you do not want the login-form to
specify "j_security_check" as its action is when you want to do some special
preprocessing before the user is authenticated. By forwarding to a servlet
(I haven't tried this with an Action but it should work) you can do your
preprocessing in the servlet and then do a requestDispatcher.forward( ) to
j_security_check. This will allow you to do pre-processing and take
advantage of the containers authentication realm.
My guess is you are currently doing authentication
against a database table. If you are using WebLogic you can use the
DBMSRealm. This will probably mean you will need to add some tables to
support the roles in WebLogic but now you don't need the authentication code in
your actions. The container manages access to protected resources.
You don't have to have any scriptlets at the top of your pages as long as the
regular expression in the <url-pattern>
of the <security-constraint> element of your web.xml
matches all of your protected resources.
--Abraham
- RE: Form-based Authentication Gogineni, Pratima
- RE: Form-based Authentication Jason Chaffee
- RE: Form-based Authentication Abraham Kang
- RE: Form-based Authentication Craig R. McClanahan
- RE: Form-based Authentication Abraham Kang
- RE: Form-based Authentication Craig R. McClanahan
- RE: Form-based Authentication Kurt Olsen
- RE: Form-based Authentication Jon.Ridgway
- Re: Form-based Authentication Jonathan Asbell
- RE: Form-based Authentication Craig R. McClanahan
- RE: Form-based Authentication Abraham Kang
- RE: Form-based Authentication Jon.Ridgway
