You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/03/06 22:13:44 UTC

DO NOT REPLY [Bug 17743] New: - enhancements to allow automatic login for web apps

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17743>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17743

enhancements to allow automatic login for web apps

           Summary: enhancements to allow automatic login for web apps
           Product: Tomcat 5
           Version: Nightly Build
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Enhancement
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: kenkyee@excite.com


After a long dig for info on how to do this on the Tomcat/JBoss mailing lists 
and various web forums, I came to the conclusion that there's no clean way to do 
this w/o a hack (I'll describe the hack later).

By "automatic login", I mean the feature where you have some web sites that will 
offer to remember your username/password for you via a persistent cookie.  The 
problem is there's no hook for this (though a Valve might do it).  What you 
usually do is put some code on a page that initiates the login process by 
calling a container's authentication system.  The only way I could do this was 
to have a servlet simulate a POST to j_security_check; it works fine, but it'd 
be nice if I could do this in a supported way by calling a Tomcat function to 
do the authentication instead of doing the simulated POST hack.  This hack only 
works if you use Form based authentication as well.

The problem w/ this approach is that if a user bookmarks a URL that has been 
restricted via container-managed declarative security, this technique won't 
work.  The user will get prompted for username/password.

A somewhat related feature is the ability to have principals/roles propogate 
through all URLs of a web app instead of the way it is now where they are only 
readable in servlets/JSPs in the restricted URLs.  I've found FAQs that indicate 
this is the way it is because the servlet spec is vague, but I'll give you a 
case where it is needed: you have a home page that has a hidden link that is 
only visible if a user has the Admin role.  The home page is not restricted but 
the user does have the Admin role.

I'd like to see this in the 4.x codestream as well, but 5.0 sounds like it's 
close to release :-)

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org