Re: Form based auth. again...

Mon, 12 Mar 2001 13:37:54 -0800 

"Craig R. McClanahan" wrote:
> 
> On Sun, 11 Mar 2001, Vladimir Grishchenko wrote:
> 
> > Hi,
> >
> > Just wondering if it's possible to get built-in form based authentication to
> > work without the user actually trying to access a protected resource? I want to
> > have a login box on the first page  that users can use to authenticate
> > themselves at my web-site.
> 
> "Authenticate on first access to a protected resource" is exactly what the
> servlet spec requires.  This is true for BASIC authentication as well --
> it is not specific to form based.
> 

I understand, I also understand Tomcat conforms to the 2.2 spec.


>  As you can guess simply specifying "j_security_check"
> > as form's action won't work. So, is there any way to accomplish this just using
> > Servlet 2.2 specified form based auth. mechanism or I need to resort to some
> > sort of custom security/session checker servlet??? Briefly looked through the
> > mailing list archives and couldn't find any info.
> >
> 
> A couple of choices to consider:
> 
> * Protect your entire web app with a security constraint that has
>   a "/*" URL pattern (NOTE - there is a bug in Tomcat 3.2.1 that
>   prevents this from working because the form login page would be
>   inside the protected area).
> 
> * Have the link on your home page exactly has you describe, but have
>   the link point at a "Welcome To My Application" page inside the
>   protected area.  The fact that this page is protected will trigger
>   the authentication dialog, and once the user has identified themselves,
>   they will be welcomed to your app.  From then on, they will have
>   already been authenticated.

The interface I want to use is similar to one found here:
http://groups.google.com/

or here:

http://developer.java.sun.com/developer/?frontpage-main

You can see a login box on the first page, so I cannot really have a link to
some page in protected area and make sure login form triggered...

I just want to know if there are any tricks I can play to make it work 
with built in authentication, and form-based a. seems to be almost what I
want, except the fact it must be triggered by a request to a protected resource.

> 
> > Thanks in advance,
> > VG.
> >
> 
> Craig McClanahan
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

Reply via email to