Hello Max, --- Max Cooper <[EMAIL PROTECTED]> wrote: > One thing that you cannot do with container-managed > security is direct the > users to the login form page to force them to login. > As an alternative, you > can protect a page and send users there, so the > container will send them > through the login form. For instance, if your login > form is /loginForm.do, > you could make a page (even a redirect back to your > home page if you want > users to end up there) named /protected.do and then > setup a security > constraint for that page. Your Login link would be > <a > href="(contextPath)/protected.do">Login</a> with > this setup.
This alternative seems attractive to me, but I'm not sure I have truly grasped how it works. I'm going to try to paraphrase, so please correct me if I'm wrong: - I would provide a link on the public homepage that says "Login here" on it. When users click the link they would go to a dummy protected page that simply redirects the user back to the homepage. Once they login through that they're automatically back in the homepage and they're logged in! One thing that I want to implement is providing the login form within the home-page to make it a single-step job for them, so they'll see the login form on the side of the page when they first come in. Otherwise there are two steps involved, first click on the login link to go to the login form and then submit the login form. How do you think I can do that? Think about Amazon. You can either be logged-in and not logged-in and it will still work. If you're logged-in the website treats you like a familiar customer, if not just default. That's the exact same functionality that I'm trying to implement here. I hope this gives a wider picture of what I want to do and perhaps you know a better way to do this than how I was currently planning on doing it above. > > I think you can acheive your desired functionality > with those techniques. If > you need more info, I'll be happy to help out. > > Another alternative is to use a filter to mimic > container-managed security > [including wrapping the request with your > implementations of getRemoteUser() > and isUserInRole()]. This way, you could provide a > programmatic interface to > log users in with an Action, but the value of > providing the interface is not > clear to me. I think you can acheive your desired > functionality without it, > and end up with less coupling between your app and > the authentication > mechanism. > > -Max Thanks, Mete > > ----- Original Message ----- > From: "Eddie Bush" <[EMAIL PROTECTED]> > To: "Struts Users Mailing List" > <[EMAIL PROTECTED]> > Sent: Wednesday, July 17, 2002 6:59 PM > Subject: Re: Struts/Container-Managed Authentication > Question > > > > I'd recommend putting it to the Tomcat guys, but > I'm just about positive > > you'd have to use j_security_check (ie FORM-based > authentication). > > > > Mete Kural wrote: > > > > >Hi, > > > > > >My Struts-based webapp has two sub-apps. > > > > > >In the first sub-app, anybody can surf through > without > > >having to be logged in, but if you are logged in, > some > > >special features are enabled (ex: "Hello Mr. > .."). > > > > > >In the second sub-app, you have to be logged in > to > > >access the pages therein. > > > > > >For the entirety of the second sub-app, obviously > a > > >security-constraint should be declared in > web.xml. But > > >the first sub-app is open to anybody, although > login > > >is encouraged (i.e. not required). For that > reason, I > > >can't put a security-constraint for the first > sub-app > > >in web.xml, but how am I going to authorize users > who > > >want to log in while they're in the first sub-app > in a > > >container-managed manner?? > > > > > >Basically what I want to do is to log a user in > with > > >the container from a LoginAction class, rather > than > > >the good-old "j_security" way. Maybe this one > should > > >be asked to the Tomcat group, but in case some of > you > > >may know, Is there a way to log a user in with > the > > >container through a method interface inside an > Action > > >class instead of dispatching the request to > > >j_security_constraint? I couldn't find such a > method > > >interface in the Servlet 2.3 specs. > > > > > >I'll appreciate any insight on this. > > > > > >Thanks, > > >Mete Kural > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > __________________________________________________ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
