Hi Ben, Someone else today had similar questions so you might want to check for the subject "initializing Session state during realm login."
This was in Tomcat 4.0.x which has this built in. If you use FORM level security you submit your own jsp page as the login page and another as the page to run if login fails. After login Tomcat passes control to your main page. When I converted some stuff like this I basically just stripped out the database lookup stuff and and took the login page front end (HTML stuff) and put it in a new file. That left the rest of my init stuff intact in the old login page. You can request info like the username, role etc from the request object with it's various methods. It is actually very nice because Tomcat now handles that for you and you can take most or all of the security validation stuff out of your pages. Like you say this makes your project something you can deploy with Tomcat or a full blown J2EE server without changes. One snag as the other fellow found out is that you lose a little control of what happens when a session times out. You get bounced out of the realm so you have to figure out how to deal with that. Rick > Hello all- > > I have a servlet based application running on Tomcat 3.2. It uses a > homespun security system which I would like to replace with standard J2EE > security. However, when the user logs in there are a number of server-side > tasks which have to be performed both before and after authentication takes > place, and which logically and functionally are all part of the login > process. > > Therefore it is a problem for me that, as best I can tell from availible > documentation, all authentication is done through the magic URL > "/j_security_check" which is opaquely handled by the application server. > > I have seen some suggestions on newsgroups that I should hack my way around > this by having my own servlet code forward to /j_security_check after doing > my own processing, but > 1)this is not really what I want because some of the work I have to do > should not take place until after authentication, and > 2)that seems like a collosal hack that might have ramifications I don't know > about. > > What I really want is a server-side method like authenticate(username, > password) which would be functionally the same as submitting to > /j_security_check. Does any such thing exist, and where can I find out > about it? If not, can anyone suggest an alternative? > > Thanks in advance, > > Ben Drasin -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
