-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve,
On 6/29/2009 1:58 PM, Steve B. wrote: > I understand that Tomcat's FORM authorization setup expects me to secure > URL's and then let Tomcat invoke the login form before proceeding to > these URL's when requested. > > However, I have a site for which we are creating a new layout which > includes a small login form in the left column. Throughout the site we > use roles defined in the web.xml (checked using isUserInRole() ). I see > many sites use this layout-embedded login form, so I expect there is > some way to set this up in Tomcat. Can someone point me at some info? I > am using Struts in case that matters. So, you want to be able to invoke j_security_check without first having requested a protected resource, right? I call this a "drive-by login", and, unfortunately, Tomcat does not support this directly. I switched to use securityfilter (http://securityfilter.sourceforge.net) primarily for this reason. Alternatives include using ACEGI (or "Spring Security" these days) (I think... Ihaven't used it so I don't know if drive-by logins are supported) or writing your own authentication and authorization mechanism. You could even patch Tomcat directly to allow this kind of login, but you run the risk of tying yourself to a particular version 9or even patch level) of Tomcat. That's why I recommend using something like securityfilter. > I see many sites use this concept of putting the login form in the > template - does this setup require me to abandon Tomcat's > authentication/authorization mechanisms? My site has many pages and > features which all use the isUserInRole() - I dread having to recode the > whole site just for a simple login form. FWIW, I find using isUserInRole to be tedious and possibly insecure (that is, the page developer has to make these kinds of decisions, instead of an application designer at a higher-level). Do you really need to have role checking in your JSPs? Typically, by the time the view is being rendered, permissions are somewhat irrelevant. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpJGpIACgkQ9CaO5/Lv0PCv2QCgsFGy2sc7hIFK3R6dkub2MJIQ qeAAn1TScfQZGla8LkTGP5lzdqJqdcFM =GOhP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
