OK. Thanks for the few clues, I now have my own LoginModule operating. Can I get output back to the user in any way? ie can I produce HTML or get a servlet to execute from the LoginModule, so that a cookie can be written? (Then let the user get to the page he requested)
Gerry ----- Original Message ----- From: "Gerry Duhig" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September 27, 2001 12:27 PM Subject: Re: [JBoss-user] Security question on Webapps > It does a separate "login" operation in a different database and writes a > cookie so that some data from that database is available to subsequent > operations. > > I am guessing that what I have to do is subclass DatabaseServerLoginModule > and run my code from that subclass. Which I have started to experiment with, > but JBoss keeps saying it cannot find my class. I put it in a jar file in > lib/ext, but it still can't find it. > > What is the trick here? > > Gerry > > ----- Original Message ----- > From: "Dmitri Colebatch" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, September 27, 2001 11:52 AM > Subject: Re: [JBoss-user] Security question on Webapps > > > > So what does the "login servlet" do? Sounds more like a front controller > > style pattern... is it responsible for directing the request to the > > appropriate place? > > > > cheesr > > dim > > > > On Thu, 27 Sep 2001, Gerry Duhig wrote: > > > > > Dim, > > > > > > I am using realms and form based login. > > > > > > The user doesn't request the login PAGE directly, it requests the login > > > servlet which is a protected resource. That bit works. > > > > > > The problem is that there are other protected resources and if the user > > > requests one of those, after authentication, the user gets them, but I > need > > > the login servlet to be run whenever they are accessed. > > > > > > Gerry > > > > > > ----- Original Message ----- > > > From: "Dmitri Colebatch" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Thursday, September 27, 2001 8:59 AM > > > Subject: Re: [JBoss-user] Security question on Webapps > > > > > > > > > > If you're using security realms and form based login (not sure if you > > > > are) then you shouldn't ever directly request the login page, simply > > > > request the protected resource and let the contain send the login page > as > > > > required and then continue the user onto the requested > > > > (protected) resource. > > > > > > > > cheesr > > > > dim > > > > > > > > On Thu, 27 Sep 2001, Gerry Duhig wrote: > > > > > > > > > Hi! > > > > > > > > > > I have configured a webapp to be deployed by the embedded Tomcat and > > > > > use the JBoss security system to protect it. It works but there is a > > > > > flaw I overlooked. > > > > > > > > > > The webapp is a login servlet and a number of html and jsp pages. > > > > > > > > > > I designed it so that JBoss protects all the pages and the login > > > > > servlet and uses FORM authentication. > > > > > > > > > > If the user accesses the app in the "proper" way, the url directs > him > > > > > to the logiin servlet which is protected. JBoss puts up the FORM, > > > > > authenticates the user and directs him to the servlet. He is logged > in > > > > > to our database, a cookie is written and he is redirected to the > html > > > > > pages. All is well. > > > > > > > > > > If he later (new session) uses his browser history to access an html > > > > > page directly, JBoss intercepts, puts up the FORM and authenticates > > > > > him, and he then gains access to the html page but has not run the > > > > > login servlet and has no cookie which is required later in the > > > > > process. > > > > > > > > > > How can I force the login servlet to be run whatever route the user > > > > > comes in by? > > > > > > > > > > Gerry > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > JBoss-user mailing list > > > > [EMAIL PROTECTED] > > > > https://lists.sourceforge.net/lists/listinfo/jboss-user > > > > > > > > > _______________________________________________ > > > JBoss-user mailing list > > > [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/jboss-user > > > > > > > > > _______________________________________________ > > JBoss-user mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/jboss-user > > > _______________________________________________ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
