Hello tomcat users. Please can anyone suggest a way to meet the following requirements for a Java web app (Servlet 2.4 spec version) using tomcat 5.5.
Extend the html login form for an existing web application, which uses FORM based authentication, to contain extra fields. Apply custom processing to the form. This code may either accept/reject the login (in addition to any checks done by the Realm) and optionally alter the user's http Session. Two sample scenarios may help illustrate what I'm getting at: 1) The login form needs to ask an additional security question, as well as requiring the username and password. This is typical in online banking applications. 2) The form contains a 'remember me on this machine' checkbox which, if selected, results in a long lived cookie being sent to allow automated login in subsequent sessions. (Yes, mixing FORM and cookie based login is another problem in its own right, but not one to worry about right now.) And no, I don't plan on using both the above in the same application! My first thought was to use a custom Realm, but it would not have access to the HttpServletRequest and hence can't see the additional form fields. There does not appear to be a way to register a custom handler for the magic j_security_check URL, so I can't subclass or otherwise override the container at that point either. Working back further, how about intercepting the login form submission before it reaches the built-in handler? Turns out that filters defined in the web.xml won't fire on that magic URL, so I can't do that either. Note: IMO this is a feature rather than a bug, but I'm open to correction. I'm out of ideas for the time being, short of patching the tomcat source. Since that would complicate our deployment and management immensely it's very much a last resort. Dumping the authentication support provided by the spec/container in favour of our own filters is another unpleasant alternative. Can anyone suggest a better approach? Thanks Jonathan --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
