This should probably be asked in a design/development user list. But I'm taking my chances. Flames - please direct to my email id rather than the user list :-) Well anyway..... I have an application that is protected by Basic authentication. Well it's an external module plugged into Apache. So when a user tries to log into a secure directory, Apache (with the help of the external auth module) sends a 401error back to the browser. The user enters the userid:pwd and everything's works great. Now the question: Suppose I display a login page (non-secure area) with a form (userid, pwd textfields) to the user. The user enters the user id and password and submits the page to a jsp, probably (or a servlet). I'd then set an Authorization header in the jsp (servlet) and forward (or include - wonder which would be appropriate) the request to the corresponding page in the secure area. So far everything looks do-able. The secure page does it's thing and sends back a response to the user. But I was wondering if the user then tries to click on a link in the output which calls another page in the secure area, will the browser pass the authentication headers (I guess not). If it does not then Apache would probably send a 401 back. I was hoping to eliminate the jsp (or servlet) that does the initial authentication for future requests. I think I'm talking about a Controller jsp (servlet) kind of deal here. But I want the controller only for login purposes. Don't you think calling every request through the Control ler servlet would be a trade-off with respect to performance? If not performance isn't an issues then the jsp (or servlet) should be able to call any page (jsp, html, servlet, coldfusion page, etc). Also the controller jsp (servlet) would need to intercept a 401 error if the user send an invalid userid/pwd and redisplay the login form page. Your ideas, comments, code would be appreciated.
Thanks RS -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
