Drasko Kokic wrote:
> Maybe my original post was not clear, hence no reply
> received :-(
>
> Questions:
> 1.) Is it possible to specify login page on the other
> servlet context (or other web site)?!
You could go parse the web.xml file for the "other" context, although it
is not clear to me why you really care. The idea of single sign on is to
use the standard sign on mechanism for the current app, the first time
the user tries to access a protected resource.
>
> 2.) How can I detect in the authorise method if the
> method is being invoked after submiting
> username/password on the login page or after
> requesting any other protected page?!
>
You can't really do this. All you can tell is that "this request needs
authorization".
My understanding of the intent of the "single sign on" logic, and the way
that it is currently implemented in Tomcat 4.0-b1, differs somewhat from
the approach you are describing. Here's what I did:
* The design center is that you have a set of "cooperating"
web applications, and want a user to have to sign on only
once to use any of the apps. Think of a portal site that has
various apps for the user (mail, chat, etc.).
* While the user is browsing unprotected pages of the various
apps, nothing special happens.
* The first time that the user browses to a protected page, they
are challenged for their authentication credentials, using the
login method of *that* particular web app.
* From now on, this user is recognized as being authenticated
(using the original authentication method, as returned by
request.getAuthType()), in *all* of the cooperating apps.
Using this approach, it is never necessary for one web app to know *how*
another web app does its authentication. You only care whether or not it
has already been done. In Tomcat 4.0, this is done as follows:
* A special Valve (somewhat similar to a request interceptor in Tomcat
3.x)
is invoked *before* the standard authentication interceptor.
* This special Valve checks for a special cookie, looks up the previously
authenticated user, and records that information in the request object.
* By the time the standard authentication interceptor sees the request,
it finds that the authenticated user has already been filled in, so it
skips
authentication and proceeds to testing the user's roles against the
security
constraints.
>From the user's perspective, he or she just has to sign on the first
time, using the standard sign on mechanism for whatever app they first
entered, and then they are recognized throughout the suite of cooperating
applications.
>From the servlet container's perspective, you never need to worry about
redirecting the user to a login page in a different web app -- just use
the standard login facilities of the current web app, and then remember
this user somehow.
> --- Drasko Kokic <[EMAIL PROTECTED]> wrote:
>
Craig McClanahan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
