Craig R. McClanahan wrote:
>
> On Thu, 22 Mar 2001 [EMAIL PROTECTED] wrote:
>
>>>> So in essense the question is: Is there a way to specify a
>>>
>>> "global" login
>>>
>>>> and error page that will be used by all webapps?
>>>>
>>> No. Each web application is still a stand-alone entity.
>>>
>>> What single sign on support does for you is remember that
>>> you've signed on
>>> already. You are still using whatever login mechanism is
>>> defined for each
>>> individual web app. They don't even have to all use the same approach
>>> (some could be BASIC, some could be FORM, for example).
>>>
>> What's the thinking behind this? Single sign on would imply having, at least
>> the option of having a single login page, even if an individual web
>> application could override the default and provide its own (for instance I
>> guess webdav can't use FORM, so would have to override a FORM default to use
>> BASIC/DIGEST).
>>
>
> The primary thinking behind this is to obey the servlet specification's
> requirements :-).
>
> The typical use case is a "portal" site (say, like Yahoo) where there are
> a variety of applications that require you to log on before use, mixed in
> with a ton of stuff that is available to everyone. Each of the
> applications has it's own individual look-and-feel (within the broad UI of
> the entire site), and doesn't necessarily *want* to have to share a page.
>
> Now, I can go browse around Yahoo to my heart's content. As soon as I
> access an app that needs a login, I'm asked to do so (within the context
> of that app). To avoid making me unhappy, the site remembers who I am so
> that when I switch to a different application that needs login, I go
> straight to what I asked for without having to identify myself again.
>
>> Having to define login for each we application:
>> 1. provides a maintenance problem if you do want a common login page across
>> all webapps
>
>
> Seems like a simple problem to solve in your build scripts. Copying
> commonly used components from a single source repository is quite
> straightforward.
>
>> 2. begins to enter into "using my password for something I haven't approved
>> it to be used for" teritory. i.e. the login page says you are logging into
>> webapp1, but in fact your login will be used for webapp2. A single login
>> page would tell you you are logging into both.
>>
>
> So, all you have to do is say so on the login page, and this confusion
> cannot happen, right? If you follow the suggestion above and copy the
> common login page to each app you will have certainly done this.
>
>> Hence my initial question - is this just the way it has been done, or does
>> the Spec say it must be done that way etc.?
>>
>
> http://java.sun.com/products/servlet/download.html
>
> See the "Security" chapter in the Servlet 2.2 spec. You will also want to
> review the requirements on servlet contexts (i.e. web applications) and
> sessions (scoped to a single web app) that affect application design for
> environments like the one discussed above.
>
>> Many thanks
>>
>> Tim
>
>
> Craig McClanahan
Also can someone explain me when my authentication is successful using
JDBCRealm , how do I get the role information, cause only two attributes
are set for the session (username and password). Do I have to go back in
the roles table to get the role info or they are stored in someway in
the session.
TIA
--
Manish Poddar
Paycom.net
310-827-5880 x 327
818-415-7447 (m)
