DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17743>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17743 enhancements to allow automatic login for web apps Summary: enhancements to allow automatic login for web apps Product: Tomcat 5 Version: Nightly Build Platform: All OS/Version: All Status: NEW Severity: Enhancement Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] After a long dig for info on how to do this on the Tomcat/JBoss mailing lists and various web forums, I came to the conclusion that there's no clean way to do this w/o a hack (I'll describe the hack later). By "automatic login", I mean the feature where you have some web sites that will offer to remember your username/password for you via a persistent cookie. The problem is there's no hook for this (though a Valve might do it). What you usually do is put some code on a page that initiates the login process by calling a container's authentication system. The only way I could do this was to have a servlet simulate a POST to j_security_check; it works fine, but it'd be nice if I could do this in a supported way by calling a Tomcat function to do the authentication instead of doing the simulated POST hack. This hack only works if you use Form based authentication as well. The problem w/ this approach is that if a user bookmarks a URL that has been restricted via container-managed declarative security, this technique won't work. The user will get prompted for username/password. A somewhat related feature is the ability to have principals/roles propogate through all URLs of a web app instead of the way it is now where they are only readable in servlets/JSPs in the restricted URLs. I've found FAQs that indicate this is the way it is because the servlet spec is vague, but I'll give you a case where it is needed: you have a home page that has a hidden link that is only visible if a user has the Admin role. The home page is not restricted but the user does have the Admin role. I'd like to see this in the 4.x codestream as well, but 5.0 sounds like it's close to release :-) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]