Container Based Security/Authentication and Forced Login/Logoff

[Andreas Schildbach <an...@schildba.ch>]

Hello!

I am using Container Based Security with the Tomcat 4.1.9 beta.
Current I have Form based Authentication configured.

I'd like to allow the user to authenticate before he tries to access a
resource that is protected by security contraints in web.xml.

==> Is it possible for a Servlet/JSP to force authentication for a user
(maybe by calling a method)?

I'd also like to offer a 'Logout' button to the user.

==> Is it possible to remove the authentication other than telling the user
to close the browser?

Thanks,

Andreas



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Container Based Security/Authentication and Forced Login/Logoff

[Eddie Bush <ek...@swbell.net>]

Search the archive.  The short answers are below.

Andreas Schildbach wrote:

>Hello!
>
>I am using Container Based Security with the Tomcat 4.1.9 beta.
>Current I have Form based Authentication configured.
>
>I'd like to allow the user to authenticate before he tries to access a
>resource that is protected by security contraints in web.xml.
>
So would we all!

>==> Is it possible for a Servlet/JSP to force authentication for a user
>(maybe by calling a method)?
>
Nope.  There are work-arounds though, I believe.  One of them is JAAS.

>I'd also like to offer a 'Logout' button to the user.
>
>==> Is it possible to remove the authentication other than telling the user
>to close the browser?
>
Invalidate the session.  Note that the session will not show up as 
invalid until the next request.  In other words, don't forward from the 
logout, redirect from it.

>Thanks,
>
>Andreas
>
Regards,

Eddie



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>