You just put some lines in the web.xml (see Servlet 2.2 spec) and your
servlet engine should enforce the security for you when a protected url is
requested
For example put the following in the web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Area</web-resource-name>
<url-pattern>/admin/protected/*</url-pattern>
<url-pattern>/admin/menu/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>maintenance</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/admin/login/login.jsp</form-login-page>
<form-error-page>/admin/login/error.jsp</form-error-page>
</form-login-config>
</login-config>
Then you make a jsp for the login page with a form that has
action="j_security_check", a text field with name="j_username" and a
password field with name="j_password"
Now has anyone got any ideas about how to handle my issue with sessions
dying with new windows in IE (short of formatting my computer and becoming a
janitor)?
> -----Original Message-----
> From: Boris Garbuzov [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 1 June 2001 4:10 p.m.
> To: [EMAIL PROTECTED]
> Subject: Re: New Windows, IE 5 and Tomcat sessions dying
>
>
> Is it a new J2EE standard of login - so called
> authentication? Where to read
> about it?
>
>
> ------------
>
>
>
> Graeme Miller wrote:
>
> > We are using Tomcat J2EE form-based login security on our
> website. The user
> > requests a protected page and is automatically redirected
> by Tomcat to the
> > login page from which they login and enter the site. No
> problem there - it
> > works perfectly.
> >
> > However when we open a new window using window.open(url),
> > window.showModelessDialog(url) or
> window.showModalDialog(url) call in
> > javascript, things go badly wrong. The moment the new
> window is closed the
> > user has to log in again in the main window before they can
> do anything
> > else. Had a look at request and the the j_username and
> j_password variables
> > appear to be deleted from the session attributes the moment
> you close the
> > new window, but cookie with the session id still appears to
> be present.
> >
> > Has anyone else had this problem? Any known solutions? We
> have tried 5
> > different workarounds, none of them work and it's now
> driving us crazy!
> >
> > Thanks,
> >
> > Graeme.
>
