FYI, The following is extracted from another thread here, but it is very relevant to this thread. Craig points out that there currently is no standard API for performing programmatic authentication of the user that would achieve the effect of logging the user into the container, such that you could then rely on container managed security.
This seems like a valuable future addition to the standard API. Tim ******************** > What I really want is a server-side method like authenticate(username, > password) which would be functionally the same as submitting to > /j_security_check. Does any such thing exist, and where can I find out > about it? There is no such API that is portable across containers. If your container supports it, JAAS is probably as close as you can get (for Tomcat, that would mean using JAASRealm in the nightly builds), but nothing is perfect. > If not, can anyone suggest an alternative? > In a servlet 2.3 container, you can define a session listener that is notified when new sessions are created. However, the notification does not include the current request (indeed, it cannot -- sessions can be created outside of the context of a request), so you won't be able to find out who the newly logged on user is. One approach would be to use a Filter that recognized the newly set up session (because the session created listener placed a special attribute there), and performed all the "logon setup" stuff based on the value returned by request.getRemoteUser() or request.getUserPrincipal() if it has not been done yet. > Thanks in advance, > > Ben Drasin > Craig --- Timothy Fisher <[EMAIL PROTECTED]> wrote: > The feature that your describing is the standard > J2EE > security model. This is a part of any servlet > container. Tomcat by itself, without struts or > turbine, offers you the same container managed > authentication features. > > Tim > > --- Joel Rees <[EMAIL PROTECTED]> wrote: > > Oki DZ commented: > > > > > On 04/23 12:25 Joel Rees wrote: > > > > So, do you have a container-managed solution? > > > > > Somebody does... > > > Take a look at > http://jakarta.apache.org/turbine/ > > > Turbine would be the ultimate servlet container > > that will take charge in > > > running all your other servlets, so that > handling > > users that are > > authenticated > > > or not yet authenticated becomes a piece of > cake. > > Of course, there's a > > > learning curve to climb, but I believe that it > > would be worth it. (eg: if > > your > > > client entered > > "http://yourhost.com/some/path/to/a/plain.html"; in > > his/her > > > browser and yet he/she was not logged in, the > > request would be redirected > > to a > > > login form you had designated.) > > > > So, how do you think Turbine compares to Struts? > > I've been looking at both, > > but my colleagues prefer the designated standard > > track. > > > > Joel Rees > > Alps Giken Kansai Systems Develoment > > Suita, Osaka > > > > > > > > > > -- > > To unsubscribe: > > > <mailto:[EMAIL PROTECTED]> > > For additional commands: > > <mailto:[EMAIL PROTECTED]> > > Troubles with the list: > > <mailto:[EMAIL PROTECTED]> > > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Games - play chess, backgammon, pool and more > http://games.yahoo.com/ > > -- > To unsubscribe: > <mailto:[EMAIL PROTECTED]> > For additional commands: > <mailto:[EMAIL PROTECTED]> > Troubles with the list: > <mailto:[EMAIL PROTECTED]> > __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
