If you mean protecting the page w/ a security constraint, I think that
would be a problem in that JAAS would detect that it's a protected
resource and prompt the user to log in before hitting the login page and
upon a successful login would redirect the user to the login page after
they've already logged in. And even if I modified the login page to
redirect to the default home page in the webapp, the problem is when
they try logging in as someone else without logging out - JAAS/Tomcat
detects that they are already logged in (have an authenticated session)
and so would bypass any authentication mechanism.
--adam
Dale Newfield wrote:
Adam Gordon wrote:
We're using JAAS for webapp authentication and we've discovered an
issue: If user A is logged in and tries to log in as user B, they
stay logged in as user A.
Couldn't you protect the login form page and action so that they're
only accessible by a session without any valid login credentials?
That way the only way to log in as B would be to first log out as A
(or in some other way start a new session w/o A's credentials).
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
