Michael Gustav Simon wrote:
The user logging-in process is as follows (redirections):
correct logon:
LoginProxyServlet -> LoginServlet -> LoginRedirectorServlet
error logon:
LoginProxyServlet -> LoginServlet -> LoginErrorServlet
logout:
LogoutServlet
When you call "/login/proxy" it should be fine.
I know, it was a test to determine how the system calls the login-pipeline.
I don't understand how the pipeline is instantiated after the LoginProxyServlet.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Think we covered this before on this list on a thread called "Login
page" on Jan 11, 2006
Here is part of the discussion:
Hi Aaron,
Great description of our Active Authentication process.
I also have a sequence diagram of this process on paper here....
It would be great to have this process documented in the xdocs
Would you like to volunteer to write a Active Authentication page for
our documentation?
I scanned in the diagram here, you may find it informative:
http://www.bluesunrise.com/jetspeed-2/AA.jpg
Aaron Evans wrote:
> yao cuihong <yaocuihong <at> gmail.com> writes:
>
>
>> 2. Jetspeed 2 security services rely entirely on JAAS
>> Does the LoginPortlet in j2-admin portlet application use JAAS?
>> What is the mechanism of LoginPortlet? I read the source of
>> LoginPortlet, but don't understand.
>> How does the LoginPortlet authenticate the user?
>>
>
>
> I posted this on another thread, but just so others following this
thread will
> see the answer:
>
> Jetspeeed uses a JAAS realm for authentication. It is configured in
jetspeed's
> context xml (although it can be moved up to the container level).
>
> J2EE containers that use realm authentication require that the
request parameters j_username and j_password be posted to
/j_security_check for authentication.
> If you look at jetspeed's web.xml, you will see a standard web
application
> security constraint and login config:
>
> <!-- Protect LogInRedirectory.jsp. This will require a login when
called -->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Login</web-resource-name>
> <url-pattern>/login/redirector</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
>
>
> <!-- Login configuration uses form-based authentication -->
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>Jetspeed</realm-name>
> <form-login-config>
> <form-login-page>/login/login</form-login-page>
> <form-error-page>/login/error</form-error-page>
> </form-login-config>
> </login-config>
> I believe that what happens is that the login portlet posts to the
> /login/redirector protected resource. Because the user is not
authenticated,
> they get redirected to /login/login.
> I believe that the /login/login URI is a blank page that contains a
hidden form that takes the user name and password parameter values
submitted from the login portlet and puts them in hidden fields with the
names j_username and j_password. It also has some kind of onload JS or
meta refresh which then causes the hidden form to post to /j_security_check.
>
> If authentication is not successful, the user will be sent to
/login/error.
> If it is successful, the user will be sent to /login/redirector and
they will
> now be allowed access to it because they have been authenticated.
This URI
> no doubt redirects to the portal root (applying profiling rules).
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
