Dim, I am using realms and form based login.
The user doesn't request the login PAGE directly, it requests the login servlet which is a protected resource. That bit works. The problem is that there are other protected resources and if the user requests one of those, after authentication, the user gets them, but I need the login servlet to be run whenever they are accessed. Gerry ----- Original Message ----- From: "Dmitri Colebatch" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September 27, 2001 8:59 AM Subject: Re: [JBoss-user] Security question on Webapps > If you're using security realms and form based login (not sure if you > are) then you shouldn't ever directly request the login page, simply > request the protected resource and let the contain send the login page as > required and then continue the user onto the requested > (protected) resource. > > cheesr > dim > > On Thu, 27 Sep 2001, Gerry Duhig wrote: > > > Hi! > > > > I have configured a webapp to be deployed by the embedded Tomcat and > > use the JBoss security system to protect it. It works but there is a > > flaw I overlooked. > > > > The webapp is a login servlet and a number of html and jsp pages. > > > > I designed it so that JBoss protects all the pages and the login > > servlet and uses FORM authentication. > > > > If the user accesses the app in the "proper" way, the url directs him > > to the logiin servlet which is protected. JBoss puts up the FORM, > > authenticates the user and directs him to the servlet. He is logged in > > to our database, a cookie is written and he is redirected to the html > > pages. All is well. > > > > If he later (new session) uses his browser history to access an html > > page directly, JBoss intercepts, puts up the FORM and authenticates > > him, and he then gains access to the html page but has not run the > > login servlet and has no cookie which is required later in the > > process. > > > > How can I force the login servlet to be run whatever route the user > > comes in by? > > > > Gerry > > > > > > > _______________________________________________ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
