It all falls under "Container-Managed Authentication". It's just a
different authentication method.
FORM-based authentication is what you see ... on a lot of sites :-)
(either that or custom [roll-your-own] authentication) where you get the
login prompt in the form of an actual page. The keys are:
- submit to action="j_security_check"
- field named "j_username"
- field named "j_password"
You would configure your security-constraints the same way you do now.
This is a servlet specification thing. The only thing that you
(should) have to change is the type of authentication (there is
additional configuration for form-based auth - must specify login page
and error page). Apart from the minor differences in configuration, it
really is as straight-forward as the above. Note that you'll have to
configure a realm for the container to lookup the users in. This could
be a flat-file, a DBMS, or JNDI resource. Of course, you could probably
"roll your own" here too (Tomcat lets you anyway), so you're not really
constrained to using only those provided. For more information on
realms, see your servlet container's user guide - that is container
specific (the configuration is anyway). Oh, nevermind - you had to do
that for BASIC as well - duh. Ok :-) That's really it.
Here is my form-based auth config - it should look strikingly similar to
what you already have ;-)
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/member/login/cmaLogin.jsp</form-login-page>
<form-error-page>/member/login/error.jsp</form-error-page>
</form-login-config>
</login-config>
I reference Jason Hunter's book Java Servlet Programming, and also Hans
Bergsten's book Java Server Pages (both from O'Reilly). Both of them
include information on this topic. I think I tend to refer to Hans'
book more often though ... though I'm not sure why :-) I think it's
because that's the one I have it bookmarked in. You should also be able
to reference the servlet specification itself.
Charles McClain wrote:
>Eddie:
>
>Thanks for the reply. Yes, I am using BASIC authentication. You
>mention FORM-based authorization, and it sounded to me as if you were
>speaking of another version of container-managed authentication;
>however, I'm not familiar with it. Can you point me in the right
>direction, and I'll do the research?
>
>Also in passing, I should mention that one of the reasons I switched to
>container-managed authentication is that I anticipate my app having to
>run inside a client's portal, and I anticipate that I'll have to avoid a
>2nd login; in other words, their users will login to the portal, and I
>won't have the option of requiring them to login again to my app.
>
--
Eddie Bush
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
