Joakim Verona wrote:
> hello,
>
> i would like a certain jsp file to always be executed when form based auth succeeds,
>regardless of which
> resource we are trying to get at, something like an event-handler for the auth event.
>
> i cant really find a provission for such a function, other than having some session
>variable
> to check against, and including the same piece of code in every page.
>
> This is doable, but is there any more elegant solution?
>
Doing this goes quite a lot against the intent of what form-based authentication is
all about.
Have you ever gone to a website with a protected area, where it popped up the
username/password dialog box?
(In other words, you were using BASIC authentication). What happens is that you type
in your
username/password and then you are sent to whatever page you originally requested.
Form based login is supposed to work exactly like that. The first time you try to
access a page that is
protected by a security constraint, the servlet container will save your original
request and present the
login page to you. Then, when you are successfully authenticated, your *originally*
requested page is
displayed.
You will be able to tell whether the user is authenticated or not by checking the
values returned by
request.getRemoteUser() and request.getUserPrincipal().
>
> I will need to make my own security interceptor at some stage. Should I take care of
>this need in
> the interceptor?
>
> --
> Joakim Verona
> [EMAIL PROTECTED]
> http://www.verona.se/
Craig McClanahan
