it seems to me the simplest way to authenticate users is using form base
auth, in conjunction with declarative security (declaring
resources/roles in web.xml); the main problem with this approach in my
opinion is handling several login pages, for example; moreover, in order
to allow authentication to be performed on the home page, you need to
"force" the client to make a request to a protected page (correct??!!),
which seems not so clean!!
Whether it's not clean is a point of view: from another point of view, why should someone login on your home page when you have decided not to protect it?
I read something about JAAS, but didn't understand, for example, once logged in what should be done with the Subject object obtained after the login process!!! Following requests are automatically recognized coming from an authenticated user, as with normal form based auth ?? I'm a little confused about all this stuff... The main goals I have are:
In your JAAS code you just give it to the container. The container does what it has to with it. It's not a problem. But in the appservers I have used (er well just tomcat) you don't get to see your Subject again. You can query methods on the request object to find out about it, but that's it.
Allow login from the home page
Only circuitously as you have guessed.
Allow login from several pages (I can specify only one login page in web.xml !) Make all this in a clean way (for example not redirecting the user to a reserved page for making tomcat present the login page !!)
Basically your idea of a clean way is ruling out the possibilities. People do make use of CMS, but when they need the features you need, they all end up using redirects.
Adam
-- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
