Vincenzo Marchese wrote: >> >> >> by the way, vincenzo: your idea worked - will write HOWTO for the list > > > No doubt Mats ;) > we use it in a production site :) > The only potential flaw is that if you look in your browser's cache > you may find the authentication form filled with username and password > and > that's a problem in a shared computer environment. This happens only > if you perform your redirect in jsp page, maybe server-side > redirecting can > avoid this. Didn't try. hi vincenzo, yes i have thought about the security problem, and it's real :( this is the advantage of this sollution. if you're willing to "lock yourself in" [Craig] you can login to tomcat by setting the session attributes j_username and j_password (at least in 3.2, probably 3.x "series"). then the accessinterceptor will let you through and the realm manager considders you logged in and will assign you the proper roles as well. this might however not be portable to catalina/tomcat4 or other servlet servers but works for my application. server-side woun't work. the "redirect ploy" hinges upon the fact that it is the browser that submits the form.
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>