Thorbjørn,
Won't that run into the same issues with server-side request forwarding
and un-updated URLs that a phase listener will run into?
Regards,
Jeff Bischoff
Kenneth L Kurz & Associates, Inc.
Thorbjørn Ravn Andersen wrote:
Jeff Bischoff skrev den 03-11-2006 22:19:
I have a simple intranet application. There is a public (no auth)
section, and a secure section for logged-in users. My main requirement
is simple. I want to force the users to authenticate (log in) before
they access the restricted portion of the application. View paths to
this portion are predictable (i.e. /public/* vs /system/*). Desired
authorization scheme will be rather simple (e.g. admins, users,
unauthenticated). I may want control-level access controls later, but
I feel that a good approach to page-level authorization is the most
important goal here.
I would consider a servlet filter which I currently use in an
application where I have chosen not to use container authentification as
the criteria for being able to use it, is that the entered userid and
password are valid for letting the applciation connect to a backend.
You can analyse the URL which is requested, and if it belongs in the
"protected" section simply redirect to a login page.
If you want I can show you how I do it.
