On Tue, 12 Jun 2001, Abraham Kang wrote:
> RE: Form-based AuthenticationHi Jason,
>
> I should have been clearer.
>
> The only time that you do not want the login-form to specify
> "j_security_check" as its action is when you want to do some special
> preprocessing before the user is authenticated. By forwarding to a servlet
> (I haven't tried this with an Action but it should work) you can do your
> preprocessing in the servlet and then do a requestDispatcher.forward( ) to
> j_security_check. This will allow you to do pre-processing and take
> advantage of the containers authentication realm.
>
WARNING: Although it might be supported by some containers, you are *not*
guaranteed by the servlet spec that you can portably play that sort of a
game. The spec clearly states that the form login page *must* have an
action of "j_security_check". (I haven't tried it, but I'm pretty sure
your technique would not work on Tomcat.)
> My guess is you are currently doing authentication against a database
> table. If you are using WebLogic you can use the DBMSRealm. This will
> probably mean you will need to add some tables to support the roles in
> WebLogic but now you don't need the authentication code in your actions.
> The container manages access to protected resources. You don't have to have
> any scriptlets at the top of your pages as long as the regular expression in
> the <url-pattern> of the <security-constraint> element of your web.xml
> matches all of your protected resources.
>
Tomcat supports a similar mechanism -- you can configure lookup of users
in a flatfile, in a database, or in a directory server. Each container
will provide it's own mechanisms for defining how and where users and
roles can be stored.
> --Abraham
Craig McClanahan
