>From what I gather, you are not using the built-in forms-based authentication? I'd like to stick with it for now but will consider other options as I add more functionality.
--- Jonathan Wilson <[EMAIL PROTECTED]> wrote: > There's probably a much better way, but I like the > fine-grained approach > I use. Unfortunately(or > fortunately) it requires *every* page you want > access controlled to have > a <jsp:include> tag. The > included jsp file checks a session variable to > determine if the user is > logged in, and whether or > not their 'role' is sufficient(my app-defined roles, > not to be confused > with the role mechanism > contained within Tomcat itself) to access the > resource - so the > jsp:included page either forwards them to login > page, > notifies them they don't have the necessary > priviledges, or lets them > pass through. For the proper jsp:forward after the > user successfully logs in (or if s/he already has > the proper perms) I > just check a calling parameter which I set from the > original calling > page(which is properly URL encoded) and jsp:forward > the user to that > resource. You should check for null forwarding > parameters in case > the access controlled page doesn't actually set it's > forward address > properly(well worth your time). Probably a confusing > process, but it makes sense to me! ..and it's > working on a large-scale > in-house production app - their are performance > issues I'm sure > if your considering a super-large deployment. > > If anybody has a better/quicker solution I'm > interested. > > --JW > > > footh wrote: > > >I have a quick question regarding Tomcat's > form-based > >login. I have it working fine for pages that are > >listed as protected. For ex, if a user hits a > >protected page, they are redirected to a login > page, > >we'll call it "login_required" that says the > requested > >resource requires a login. If they fail the login, > >the error page, we'll call "login_invalid", appears > >which looks just like the login_required page > except > >it says invalid login, please try again. If the > user > >logs in correctly on any of these pages, they are > >redirected to the original protected page. This > works > >great. > > > >But, the user can explicitly log in by clicking on > a > >"log in" link everywhere on the site. I have a an > >idea of how to do this, but I have a couple of > >questions regarding this idea. > > > >I was going to create a "login_dummy" page, a > >protected page that is the source of all the > "login" > >links throughout the site. When this page is hit, > the > >whole forms-based login process will occur. When > the > >user finally authenticates, the login_dummy page > will > >just redirect them to the home page. > > > >The questions I have are 1) I would really like to > >direct the user to the page they were on when they > >clicked the "login" link. I can't figure out how > to > >do that. And 2) This method requires that I use > the > >"login_required" page described above (the form > >attached to the form-based login) which will > contain > >text like "the requested resource requires a login, > >etc, etc." When they click on a login link, they > >aren't accessing a protected resource, they are > just > >logging in. So, I really need a different login > page > >(or just different introductory text). However, I > >don't know how to differentiate that I'm coming > from a > >direct login link. > > > >The latter issue isn't a big deal, I could always > just > >use a generic login page. Anyway, does anyone have > >any ideas of how I might be able to implement this? > > > >Thanks, > > > >JF > > > > > > > >__________________________________ > >Do you Yahoo!? > >Check out the new Yahoo! Front Page. > >www.yahoo.com > > > > > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: > [EMAIL PROTECTED] > >For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > __________________________________ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]