Dear all,
Our website has a restricted folder, let's say /restricted, which is supposted
to be only accessible by registered users. Surely I can simply use JDBC realm
+ security constraint provided by tomcat 5.5.X, BTW, that's the version I use,
for user access control. However, I need to do a little bit more. Once the
user is authenticated, before showing him the webpage, his personal information
needs to be collected from the database.
Now seems I have two options.
1. Forget about the security constraint supported by tomcat. Write codes to do
authentication and user info collection. This is fine, except now I have to
check every user's http request, if it points to /restricted/*, I have to
further determine if the user has already logged in, which is previously
gracefully done by tomcat and now is definitly a boring task.
2. Use realm and security constraint. This might indicate that I have to modify
Tomcat source to do user info collection before letting the user in, which I
will try my best to avoid.
I thought about a possible workaround that combines both. If I specify the
login-page of my security constraint as my own custom login-page. Then each
time when users try to access the restricted area directly without first login
in, they will be directed here. In other words, I only use security constraint
but no realms. Things would go wrong, though, when the user first login in and
then accidently leaves the restricted area. If he wants to go back to the
restricted area, he will be redirected to the login page. So my question is:
how can I replace realm with my own custom login so that it can work seamlessly
with server level security constraint?
Thanks in advance,
---------------------------------
Yahoo! FareChase - Search multiple travel sites in one click.
