On Wed, 13 Jun 2001, Jon.Ridgway wrote:
> Hi All,
>
> Form based auth is something that I have just been looking at, so I thought
> I'd add my two pennies worth.
>
> My login form is using struts html, bean and template tags (no html:form)
> and all appears ok. My template has an adapted version of the checkLogin tag
> provided with the struts-example. My adapted version just checks that a user
> attribute is in the session and creates one if it is not using the
> j_username and j_password to look the users' details up in my db.
>
> Question: can I be sure that *all* containers will put a j_username and
> j_password attribute in the session, like tomcat does?
>
Umm, which version of Tomcat does that? It's certainly *not* in the
servlet spec.
The best way to understand exactly what you can expect to be portable is
to read the appropriate portion of the spec itself (it's only a page or
two in the Security chapter). You can download it from:
http://java.sun.com/products/servlet/download.html
You can use a JSP page (in all it's glory) as your form login page if you
want to, with no problems -- as long as the form action is
"j_security_check" and the input fields are "j_username" and
"j_password". You can not count on anything related to session attributes
that the container itself might or might not create.
The only portable way to detect whether someone has successfully logged on
with any of the container-managed security mechanisms is to call
request.getRemoteUser() and make sure you got a non-null return. Form
based is different from BASIC in one respect, though -- your authenticated
identity lasts only until the current session is invalidated or times
out. With BASIC, the authenticated identity lasts until the browser is
restarted.
> Jon.
>
Craig McClanahan
