Pid, > Am thinking about implementing a custom Form authenticator, does anyone > have any tips or links they can recommend before i get started? > > Particularly want to know if I can use it on one webapp, not force all > on the server to use it too.
http://securityfilter.sourceforge.net You can enable it on a per-webapp basis, and it's portable across app servers, too (i.e. does not require Tomcat). I have written a patch to add pass-through parameters to j_security_check so that you can, say, add a "pin" field to your login so that it gets forwarded to the page where the user goes after the login completes (http://sourceforge.net/forum/forum.php?thread_id=1570529&forum_id=200424). I will also be writing a patch that allows you to restrict a login to a single IP address for a modicum of extra security. -chris
signature.asc
Description: OpenPGP digital signature
