I can share what we do using form-based authentication. We've rolled our own authentication mechanism, and have JBoss and Tomcat on different servers. This may be what you mean by "login form on each page" - I'm not clear. At any rate, at the top of each page, the developer has
<%@ include file="/common/html/authenheader.jsp" %> and at the bottom is <%@ include file="/common/html/authentrailer.jsp" %> The header opens a try block. In there, it checks the session to see if the user is logged on. If not, it stores request.getRequestURI in the session and redirects to login_form.jsp. In login_hdlr.jsp, if the userid and password validate, the session is updated and a redirect to the stored target is executed. authentrailer closes the try block and handles exceptions. ----- Original Message ----- From: "Silvester van der Bijl" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 24, 2003 8:22 PM Subject: Re: [JBoss-user] Form based authentication David, Thanks for the suggestion. I do have a login form on each page (that is until the user logs in :-) ). I did think of something like you're describing, but I just figured there had to be a better way. I found some more information on that AuthenticationInterceptor, but as far I can figure, you can't tell JBoss/Jetty to use a different interceptor for this. Besides, it seems kind of overkill to write a custom class just to allow direct requests to a login page.... Any other thoughts ? Silvester <citaat van="David Ward"> > Silvester, > > I'll share what I do. I have a single servlet that is a central > controller that delegates processing and dispatches requests to jp's > (based on pathInfo). However, *I have 2 servlet mappings to it*. > > /myapp/web/pathInfo - myapp is the context, web is the servlet, pathInfo > (and request params) tell me how to process and where to request > dispatch to. > > /myapp/sweb/pathInfo - same as above except sweb (notice the "s") is a > different mapping *to the same servlet*, except it also is a web > protected resource. > > I have a dynamic login/logout link on each page (based on principal in > request), which simply links back to itself except replacing "web" with > "sweb". After the user logs in, he/she ends up visually back to where > he/she started, though the path in the url is a bit different. > > Now, it sounds like you have an actual login form on each of your pages. > I've not done that, but I'm guessing you could do the same thing as me, > except just pass along the username and password to a dummy login with > no display that onLoad (JavaScript) simply submits for you. But 1) that > seems hokey, and 2) you would want to make sure you're using SSL > otherwise your username and password are plain-text'ing over the net. > What do other people do in this circumstance? > > David > > -- > > Mensaje citado por Silvester van der Bijl <[EMAIL PROTECTED]>: > >> Hi there, >> >> We've got a web application which on each page displays a login box if >> the user isn't authenticated, or otherwise his personal menu, etc... >> >> The problem is, that after succesfully authenticating a user >> (j_security_check target), jetty doesn't know where to redirect the >> user to since I made a direct request to the login page (sort of). >> >> Shouldn't there be an additional property for j_security_check, like >> j_onsuccess_redirect_to ? >> >> Does anyone know of a workaround for this problem ? I've read about >> using a custom AuthenticationInterceptor, only I can't find where this >> interceptor is configured ? >> >> Please help. >> Silvester > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
