It does a separate "login" operation in a different database and writes a cookie so that some data from that database is available to subsequent operations.
I am guessing that what I have to do is subclass DatabaseServerLoginModule and run my code from that subclass. Which I have started to experiment with, but JBoss keeps saying it cannot find my class. I put it in a jar file in lib/ext, but it still can't find it. What is the trick here? Gerry ----- Original Message ----- From: "Dmitri Colebatch" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September 27, 2001 11:52 AM Subject: Re: [JBoss-user] Security question on Webapps > So what does the "login servlet" do? Sounds more like a front controller > style pattern... is it responsible for directing the request to the > appropriate place? > > cheesr > dim > > On Thu, 27 Sep 2001, Gerry Duhig wrote: > > > Dim, > > > > I am using realms and form based login. > > > > The user doesn't request the login PAGE directly, it requests the login > > servlet which is a protected resource. That bit works. > > > > The problem is that there are other protected resources and if the user > > requests one of those, after authentication, the user gets them, but I need > > the login servlet to be run whenever they are accessed. > > > > Gerry > > > > ----- Original Message ----- > > From: "Dmitri Colebatch" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, September 27, 2001 8:59 AM > > Subject: Re: [JBoss-user] Security question on Webapps > > > > > > > If you're using security realms and form based login (not sure if you > > > are) then you shouldn't ever directly request the login page, simply > > > request the protected resource and let the contain send the login page as > > > required and then continue the user onto the requested > > > (protected) resource. > > > > > > cheesr > > > dim > > > > > > On Thu, 27 Sep 2001, Gerry Duhig wrote: > > > > > > > Hi! > > > > > > > > I have configured a webapp to be deployed by the embedded Tomcat and > > > > use the JBoss security system to protect it. It works but there is a > > > > flaw I overlooked. > > > > > > > > The webapp is a login servlet and a number of html and jsp pages. > > > > > > > > I designed it so that JBoss protects all the pages and the login > > > > servlet and uses FORM authentication. > > > > > > > > If the user accesses the app in the "proper" way, the url directs him > > > > to the logiin servlet which is protected. JBoss puts up the FORM, > > > > authenticates the user and directs him to the servlet. He is logged in > > > > to our database, a cookie is written and he is redirected to the html > > > > pages. All is well. > > > > > > > > If he later (new session) uses his browser history to access an html > > > > page directly, JBoss intercepts, puts up the FORM and authenticates > > > > him, and he then gains access to the html page but has not run the > > > > login servlet and has no cookie which is required later in the > > > > process. > > > > > > > > How can I force the login servlet to be run whatever route the user > > > > comes in by? > > > > > > > > Gerry > > > > > > > > > > > > > > > > > _______________________________________________ > > > JBoss-user mailing list > > > [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/jboss-user > > > > > > _______________________________________________ > > JBoss-user mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/jboss-user > > > > > _______________________________________________ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
