You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/03/06 22:13:44 UTC
DO NOT REPLY [Bug 17743] New: -
enhancements to allow automatic login for web apps
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17743>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17743
enhancements to allow automatic login for web apps
Summary: enhancements to allow automatic login for web apps
Product: Tomcat 5
Version: Nightly Build
Platform: All
OS/Version: All
Status: NEW
Severity: Enhancement
Priority: Other
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: kenkyee@excite.com
After a long dig for info on how to do this on the Tomcat/JBoss mailing lists
and various web forums, I came to the conclusion that there's no clean way to do
this w/o a hack (I'll describe the hack later).
By "automatic login", I mean the feature where you have some web sites that will
offer to remember your username/password for you via a persistent cookie. The
problem is there's no hook for this (though a Valve might do it). What you
usually do is put some code on a page that initiates the login process by
calling a container's authentication system. The only way I could do this was
to have a servlet simulate a POST to j_security_check; it works fine, but it'd
be nice if I could do this in a supported way by calling a Tomcat function to
do the authentication instead of doing the simulated POST hack. This hack only
works if you use Form based authentication as well.
The problem w/ this approach is that if a user bookmarks a URL that has been
restricted via container-managed declarative security, this technique won't
work. The user will get prompted for username/password.
A somewhat related feature is the ability to have principals/roles propogate
through all URLs of a web app instead of the way it is now where they are only
readable in servlets/JSPs in the restricted URLs. I've found FAQs that indicate
this is the way it is because the servlet spec is vague, but I'll give you a
case where it is needed: you have a home page that has a hidden link that is
only visible if a user has the Admin role. The home page is not restricted but
the user does have the Admin role.
I'd like to see this in the 4.x codestream as well, but 5.0 sounds like it's
close to release :-)
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org