I presume for this topic I'd better continue as we are and I'll get it right next time.
I was wondering exactly how the servlet container knows whether the user has already authenticated or not.
With BASIC authorization an "Authorization" header is sent and based on that the programmes know whether to re-present the sign in or not.
I'm using an old nuts and bolts programme that actually programmatically sent the "Authorization" header string for BASIC authorization, and I'd like to continue using this programme, but I have to tell the new FORM version that I've already signed in, and I don't know how.
On Thu, 1 Apr 2004 09:10:18 -0600, QM <[EMAIL PROTECTED]> wrote:
On Thu, Apr 01, 2004 at 04:38:49PM +0200, Malcolm Warren wrote: : With BASIC authorization, which I used to use, the browser was sent an : "Authorization" header. : : This doesn't happen with FORM-based authorization. : I believe Tomcat deals with it all, but how? Anybody know?
Not sure I understand your question -- with FORM-based auth: - the container detects an attempt to access a protected resource - container sends requestor to designated form page, which posts to the blackbox "j_security_check" - success => user is taken to originally-requested page - failure => user is taken designated "no-go" page
Is that the answer to your question?
btw, please start new threads for new topics -- replying to an old message plays hell with thread-aware mail readers, even if you change the subject. ;)
-QM
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
