Hello, You're doing exactly what I want to do, only I want to use container managed security. If I understand you correctly you don't use container managed security (web.xml) and you verify usernames and password against e.g. a dabase yourself ?
The reason why I want to do this, is because the web application is just one of the applications talking to session beans (all protected or using roles from a custom login module). Silvester <citaat van="Guy Rouillier"> > I can share what we do using form-based authentication. We've rolled > our own authentication mechanism, and have JBoss and Tomcat on different > servers. This may be what you mean by "login form on each page" - I'm > not clear. At any rate, at the top of each page, the developer has > > <%@ include file="/common/html/authenheader.jsp" %> > > and at the bottom is > > <%@ include file="/common/html/authentrailer.jsp" %> > > The header opens a try block. In there, it checks the session to see if > the user is logged on. If not, it stores request.getRequestURI in the > session and redirects to login_form.jsp. In login_hdlr.jsp, if the > userid and password validate, the session is updated and a redirect to > the stored target is executed. authentrailer closes the try block and > handles exceptions. > > ----- Original Message ----- > From: "Silvester van der Bijl" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, February 24, 2003 8:22 PM > Subject: Re: [JBoss-user] Form based authentication > > > David, > > Thanks for the suggestion. I do have a login form on each page (that is > until the user logs in :-) ). I did think of something like you're > describing, but I just figured there had to be a better way. > > I found some more information on that AuthenticationInterceptor, but as > far I can figure, you can't tell JBoss/Jetty to use a different > interceptor for this. > > Besides, it seems kind of overkill to write a custom class just to allow > direct requests to a login page.... > > Any other thoughts ? > > Silvester > > <citaat van="David Ward"> >> Silvester, >> >> I'll share what I do. I have a single servlet that is a central >> controller that delegates processing and dispatches requests to jp's >> (based on pathInfo). However, *I have 2 servlet mappings to it*. >> >> /myapp/web/pathInfo - myapp is the context, web is the servlet, > pathInfo >> (and request params) tell me how to process and where to request >> dispatch to. >> >> /myapp/sweb/pathInfo - same as above except sweb (notice the "s") is a >> different mapping *to the same servlet*, except it also is a web >> protected resource. >> >> I have a dynamic login/logout link on each page (based on principal in >> request), which simply links back to itself except replacing "web" > with >> "sweb". After the user logs in, he/she ends up visually back to where >> he/she started, though the path in the url is a bit different. >> >> Now, it sounds like you have an actual login form on each of your > pages. >> I've not done that, but I'm guessing you could do the same thing as > me, >> except just pass along the username and password to a dummy login with >> no display that onLoad (JavaScript) simply submits for you. But 1) > that >> seems hokey, and 2) you would want to make sure you're using SSL >> otherwise your username and password are plain-text'ing over the net. >> What do other people do in this circumstance? >> >> David >> >> -- >> >> Mensaje citado por Silvester van der Bijl > <[EMAIL PROTECTED]>: >> >>> Hi there, >>> >>> We've got a web application which on each page displays a login box > if >>> the user isn't authenticated, or otherwise his personal menu, etc... >>> >>> The problem is, that after succesfully authenticating a user >>> (j_security_check target), jetty doesn't know where to redirect the >>> user to since I made a direct request to the login page (sort of). >>> >>> Shouldn't there be an additional property for j_security_check, like >>> j_onsuccess_redirect_to ? >>> >>> Does anyone know of a workaround for this problem ? I've read about >>> using a custom AuthenticationInterceptor, only I can't find where > this >>> interceptor is configured ? >>> >>> Please help. >>> Silvester >> >> >> ------------------------------------------------------- >> This sf.net email is sponsored by:ThinkGeek >> Welcome to geek heaven. >> http://thinkgeek.com/sf >> _______________________________________________ >> JBoss-user mailing list >> [EMAIL PROTECTED] >> https://lists.sourceforge.net/lists/listinfo/jboss-user > > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user ------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
