fortunately) it requires *every* page you want access controlled to have a <jsp:include> tag. The
included jsp file checks a session variable to determine if the user is logged in, and whether or
not their 'role' is sufficient(my app-defined roles, not to be confused with the role mechanism
contained within Tomcat itself) to access the resource - so the jsp:included page either forwards them to login page,
notifies them they don't have the necessary priviledges, or lets them pass through. For the proper jsp:forward after the
user successfully logs in (or if s/he already has the proper perms) I just check a calling parameter which I set from the original calling page(which is properly URL encoded) and jsp:forward the user to that resource. You should check for null forwarding parameters in case
the access controlled page doesn't actually set it's forward address properly(well worth your time). Probably a confusing
process, but it makes sense to me! ..and it's working on a large-scale in-house production app - their are performance issues I'm sure
if your considering a super-large deployment.
If anybody has a better/quicker solution I'm interested.
--JW
footh wrote:
I have a quick question regarding Tomcat's form-based login. I have it working fine for pages that are listed as protected. For ex, if a user hits a protected page, they are redirected to a login page, we'll call it "login_required" that says the requested resource requires a login. If they fail the login, the error page, we'll call "login_invalid", appears which looks just like the login_required page except it says invalid login, please try again. If the user logs in correctly on any of these pages, they are redirected to the original protected page. This works great.
But, the user can explicitly log in by clicking on a "log in" link everywhere on the site. I have a an idea of how to do this, but I have a couple of questions regarding this idea.
I was going to create a "login_dummy" page, a protected page that is the source of all the "login" links throughout the site. When this page is hit, the whole forms-based login process will occur. When the user finally authenticates, the login_dummy page will just redirect them to the home page.
The questions I have are 1) I would really like to direct the user to the page they were on when they clicked the "login" link. I can't figure out how to do that. And 2) This method requires that I use the "login_required" page described above (the form attached to the form-based login) which will contain text like "the requested resource requires a login, etc, etc." When they click on a login link, they aren't accessing a protected resource, they are just logging in. So, I really need a different login page (or just different introductory text). However, I don't know how to differentiate that I'm coming from a direct login link.
The latter issue isn't a big deal, I could always just use a generic login page. Anyway, does anyone have any ideas of how I might be able to implement this?
Thanks,
JF
__________________________________ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
