> If you are rolling your own login authentication, putting it in the
Controller
> servlet is pretty easy. Just make sure that you allow the user to execute
the
> "login" action without being authenticated -- otherwise you're in a "Catch
22"
> situation.
I do this, but I configure a property for the login page. That way, when the
controller servlet notices the user doesn't have a session (not yet logged
in), it forwards the request to the configured 'login' URL. This lets me
reuse the controller without code changes.
>
> Note that putting authentication logic only in the servlet or action
classes does
> not protect you from the user trying to access one of your JSP pages
directly -- it
> will catch them only when they try to post. To prevent this, you'd also
need to
> add a check at the top of every JSP page.
>
I handle this by protecting the whole web site, _except_ for the controller
servlet, from access from any host other than localhost. That way, the
controller servlet can forward requests to any URL but no remote user can
directly access anything but the controller servlet. Since I have access to
the host, I can directly access pages for testing.
_3
M
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
