All: When I first converted my app to use the Struts framework, I cribbed the login mechanism from the Struts example application. This worked nicely; besides the initial login function, the combination of the global "loginpage" forward and the app:checklogin tag (as well as the login check in the Actions) forced the user to the application login page if he tried to come into the application "in the middle" via a bookmark or something. Finally, there was a "logout" action with a session.invalidate() method call that also threw the user back to the application login page.
After some reading which recommended container-managed security -- and also after I decided I would like to use the Jakarta Taglibs req:isUserInRole tag to vary menus, etc., by user role -- I switched over to using a Tomcat security constraint. Everything still works fine -- when the user links to the app "welcome" page, Tomcat throws up a login dialog, and if he tries to come into the app "in the middle" via a bookmark, he also is required to login via Tomcat. However, since the application no longer has its own login page, I seem to have lost the ability to log him out and require a re-login. The logout action still performs the session.invalidate() method and takes him to the "you have logged out" page, but I don't know how to force the Tomcat login dialog; in other words, if I put a link back to the "welcome" page on the "you have logged out" page, it just goes back to the "welcome" page without requiring him to login again. If he closes the browser, of course, he has to login again, but I'm looking for the same kind of forced re-login behavior that the original application-controlled login mechanism gave me. Any ideas? Charles McClain Phone: 603.659.2046 email: [EMAIL PROTECTED] -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
