Re: Form-based login question - explicit login
>From what I gather, you are not using the built-in forms-based authentication? I'd like to stick with it for now but will consider other options as I add more functionality. --- Jonathan Wilson <[EMAIL PROTECTED]> wrote: > There's probably a much better way, but I like the > fine-grained approach > I use. Unfortunately(or > fortunately) it requires *every* page you want > access controlled to have > a tag. The > included jsp file checks a session variable to > determine if the user is > logged in, and whether or > not their 'role' is sufficient(my app-defined roles, > not to be confused > with the role mechanism > contained within Tomcat itself) to access the > resource - so the > jsp:included page either forwards them to login > page, > notifies them they don't have the necessary > priviledges, or lets them > pass through. For the proper jsp:forward after the > user successfully logs in (or if s/he already has > the proper perms) I > just check a calling parameter which I set from the > original calling > page(which is properly URL encoded) and jsp:forward > the user to that > resource. You should check for null forwarding > parameters in case > the access controlled page doesn't actually set it's > forward address > properly(well worth your time). Probably a confusing > process, but it makes sense to me! ..and it's > working on a large-scale > in-house production app - their are performance > issues I'm sure > if your considering a super-large deployment. > > If anybody has a better/quicker solution I'm > interested. > > --JW > > > footh wrote: > > >I have a quick question regarding Tomcat's > form-based > >login. I have it working fine for pages that are > >listed as protected. For ex, if a user hits a > >protected page, they are redirected to a login > page, > >we'll call it "login_required" that says the > requested > >resource requires a login. If they fail the login, > >the error page, we'll call "login_invalid", appears > >which looks just like the login_required page > except > >it says invalid login, please try again. If the > user > >logs in correctly on any of these pages, they are > >redirected to the original protected page. This > works > >great. > > > >But, the user can explicitly log in by clicking on > a > >"log in" link everywhere on the site. I have a an > >idea of how to do this, but I have a couple of > >questions regarding this idea. > > > >I was going to create a "login_dummy" page, a > >protected page that is the source of all the > "login" > >links throughout the site. When this page is hit, > the > >whole forms-based login process will occur. When > the > >user finally authenticates, the login_dummy page > will > >just redirect them to the home page. > > > >The questions I have are 1) I would really like to > >direct the user to the page they were on when they > >clicked the "login" link. I can't figure out how > to > >do that. And 2) This method requires that I use > the > >"login_required" page described above (the form > >attached to the form-based login) which will > contain > >text like "the requested resource requires a login, > >etc, etc." When they click on a login link, they > >aren't accessing a protected resource, they are > just > >logging in. So, I really need a different login > page > >(or just different introductory text). However, I > >don't know how to differentiate that I'm coming > from a > >direct login link. > > > >The latter issue isn't a big deal, I could always > just > >use a generic login page. Anyway, does anyone have > >any ideas of how I might be able to implement this? > > > >Thanks, > > > >JF > > > > > > > >__ > >Do you Yahoo!? > >Check out the new Yahoo! Front Page. > >www.yahoo.com > > > > > > > >- > >To unsubscribe, e-mail: > [EMAIL PROTECTED] > >For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > > - > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > __ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form-based login question - explicit login
There's probably a much better way, but I like the fine-grained approach I use. Unfortunately(or fortunately) it requires *every* page you want access controlled to have a tag. The included jsp file checks a session variable to determine if the user is logged in, and whether or not their 'role' is sufficient(my app-defined roles, not to be confused with the role mechanism contained within Tomcat itself) to access the resource - so the jsp:included page either forwards them to login page, notifies them they don't have the necessary priviledges, or lets them pass through. For the proper jsp:forward after the user successfully logs in (or if s/he already has the proper perms) I just check a calling parameter which I set from the original calling page(which is properly URL encoded) and jsp:forward the user to that resource. You should check for null forwarding parameters in case the access controlled page doesn't actually set it's forward address properly(well worth your time). Probably a confusing process, but it makes sense to me! ..and it's working on a large-scale in-house production app - their are performance issues I'm sure if your considering a super-large deployment. If anybody has a better/quicker solution I'm interested. --JW footh wrote: I have a quick question regarding Tomcat's form-based login. I have it working fine for pages that are listed as protected. For ex, if a user hits a protected page, they are redirected to a login page, we'll call it "login_required" that says the requested resource requires a login. If they fail the login, the error page, we'll call "login_invalid", appears which looks just like the login_required page except it says invalid login, please try again. If the user logs in correctly on any of these pages, they are redirected to the original protected page. This works great. But, the user can explicitly log in by clicking on a "log in" link everywhere on the site. I have a an idea of how to do this, but I have a couple of questions regarding this idea. I was going to create a "login_dummy" page, a protected page that is the source of all the "login" links throughout the site. When this page is hit, the whole forms-based login process will occur. When the user finally authenticates, the login_dummy page will just redirect them to the home page. The questions I have are 1) I would really like to direct the user to the page they were on when they clicked the "login" link. I can't figure out how to do that. And 2) This method requires that I use the "login_required" page described above (the form attached to the form-based login) which will contain text like "the requested resource requires a login, etc, etc." When they click on a login link, they aren't accessing a protected resource, they are just logging in. So, I really need a different login page (or just different introductory text). However, I don't know how to differentiate that I'm coming from a direct login link. The latter issue isn't a big deal, I could always just use a generic login page. Anyway, does anyone have any ideas of how I might be able to implement this? Thanks, JF __ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form-based login question - explicit login
I have a quick question regarding Tomcat's form-based login. I have it working fine for pages that are listed as protected. For ex, if a user hits a protected page, they are redirected to a login page, we'll call it "login_required" that says the requested resource requires a login. If they fail the login, the error page, we'll call "login_invalid", appears which looks just like the login_required page except it says invalid login, please try again. If the user logs in correctly on any of these pages, they are redirected to the original protected page. This works great. But, the user can explicitly log in by clicking on a "log in" link everywhere on the site. I have a an idea of how to do this, but I have a couple of questions regarding this idea. I was going to create a "login_dummy" page, a protected page that is the source of all the "login" links throughout the site. When this page is hit, the whole forms-based login process will occur. When the user finally authenticates, the login_dummy page will just redirect them to the home page. The questions I have are 1) I would really like to direct the user to the page they were on when they clicked the "login" link. I can't figure out how to do that. And 2) This method requires that I use the "login_required" page described above (the form attached to the form-based login) which will contain text like "the requested resource requires a login, etc, etc." When they click on a login link, they aren't accessing a protected resource, they are just logging in. So, I really need a different login page (or just different introductory text). However, I don't know how to differentiate that I'm coming from a direct login link. The latter issue isn't a big deal, I could always just use a generic login page. Anyway, does anyone have any ideas of how I might be able to implement this? Thanks, JF __ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
