form-based authentication question
Using Tomcat 4.1.X, I'm attempting to switch a web app from basic auth to form-based. I'm having difficulty in one area. After creating the new form and posting to j_security_check, I wish to GET my welcome page. It appears to be doing this from the URL in the address bar, but the page looks exactly like my login page. That is, it seems to have posted to itself. What's the appropriate way to forward to the welcome page? A working example login page, welcome page, and deployment descriptor would be appreciated. Thanks, Derrick This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message.
RE: form-based authentication question
It may be good for someone to answer this, but I figured out my problem. I accidentally used the login page name where the welcome page name should have been in the servlet configuration. Cockpit error. -Original Message- From: Koes, Derrick Sent: Tuesday, March 23, 2004 2:49 PM To: '[EMAIL PROTECTED]' Subject: form-based authentication question Using Tomcat 4.1.X, I'm attempting to switch a web app from basic auth to form-based. I'm having difficulty in one area. After creating the new form and posting to j_security_check, I wish to GET my welcome page. It appears to be doing this from the URL in the address bar, but the page looks exactly like my login page. That is, it seems to have posted to itself. What's the appropriate way to forward to the welcome page? A working example login page, welcome page, and deployment descriptor would be appreciated. Thanks, Derrick This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form-based authentication question
Hi I have successfully set up tomcat to protect various parts of my application using JDBCrealm and form-based-authentication, and it all works fine. Now i have written a system whereby new users can register and it creates them their chosen username and puts them in the right roles in the database. Now what i want to be able to do is have my servlet automatically log them in as the register without the need for them to be redirected to the login-form and re-enter their username and password. I am presuming this is possible as i log my users out by invoking request.getSession().invalidate(); in my logoff servlet, so my question is how do i create their session without using the default login form? Thanks Edd - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
FORM-based authentication question
I'm successfully using FORM-based logins in my application but I have a few questions. When a user logs in, I want to attach certain information to the session. Currently I use a filter that checks to see if the request.getRemoteUser is set (or has changed) and if so, I do a database call to get the User information, instantiate a UserClass and set it into the session. It works fine but... The filter gets called for every request but only acts when a user logs in. Sure the test (to see if anything needs to be done) is simple and fairly quick, but it is done for _every_ request. Is there a better way? I'm thinking something similar in style to the HttpSessionListener interface. Maybe an AuthenticationListener. Tomcat 4 (or any Servlet 2.3 container :) knows when a user has been authenticated (or, for that matter, when the authentication/session times out) but I don't see any way to hook into that event. The timed out session information can be had using the HttpSessionListener.sessionDestroyed() method and my application knows if, in the very rare case :-) that a user actually logs out. But notification of an authentification seems to be missing (from the spec). The HttpSessionListener.sessionCreated() method doesn't do what I want since a session is created even when a user is not authenticated. How do others attach information to the session once a user has been authenticated? Thanks, Kevin HaleBoyes Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie
Re: FORM-based authentication question
On Fri, 7 Sep 2001, Kevin HaleBoyes wrote: Date: Fri, 7 Sep 2001 16:48:01 +0100 (BST) From: Kevin HaleBoyes [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: FORM-based authentication question I'm successfully using FORM-based logins in my application but I have a few questions. When a user logs in, I want to attach certain information to the session. Currently I use a filter that checks to see if the request.getRemoteUser is set (or has changed) and if so, I do a database call to get the User information, instantiate a UserClass and set it into the session. It works fine but... The filter gets called for every request but only acts when a user logs in. Sure the test (to see if anything needs to be done) is simple and fairly quick, but it is done for _every_ request. Is there a better way? I'm thinking something similar in style to the HttpSessionListener interface. Maybe an AuthenticationListener. Tomcat 4 (or any Servlet 2.3 container :) knows when a user has been authenticated (or, for that matter, when the authentication/session times out) but I don't see any way to hook into that event. The timed out session information can be had using the HttpSessionListener.sessionDestroyed() method and my application knows if, in the very rare case :-) that a user actually logs out. But notification of an authentification seems to be missing (from the spec). The HttpSessionListener.sessionCreated() method doesn't do what I want since a session is created even when a user is not authenticated. How do others attach information to the session once a user has been authenticated? You can use HttpSessionListener to detect when the session is created or destroyed, but there are no servlet API mechanisms that let you hook in to the user was authenticated event. You could write a Tomcat-specific mechanism to do that, but for a portable application the filter approach seems to me to be the best. Thanks, Kevin HaleBoyes Craig
