You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Kevin HaleBoyes <kc...@yahoo.com> on 2001/05/16 20:45:04 UTC
FORM-based login questions
I've managed to get FORM-based login to work but I've got a few questions
regarding
it. I have an application that has three different roles: customer,
administrator, and retailer.
They will have access to their own part of the overall application - generally,
the customer
will access jsp's and servlets in the /ft/cust resource collection. Similarly
for the admin
and retailer roles. My web.xml file contains the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Functions</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ltadmin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Etailer Functions</web-resource-name>
<url-pattern>/etailer/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ltetailer</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Customer Functions</web-resource-name>
<url-pattern>/cust/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ltcust</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
My tomcat-users.xml file has the users and roles defined appropriately:
<user name="lftcust" password="t" roles="ltcust" />
<user name="lftadmin" password="t" roles="ltadmin" />
<user name="lftetail" password="t" roles="ltetailer" />
As I said, this is working but I did have a few question. First, the context
for the
application is /ft and I'm running Tomcat 4.0b3 on a RedHat linux 6.2 box.
You'll notice that the "root" of the application is not protected so if a
browser is pointed
to http://localhost:8080/ft/index.jsp it is served up without a
username/password prompt.
If I try to go to the /ft/cust/index.jsp URL then my login.jsp form is
presented (user logs
in and is redirected to the /ft/cust/index.jsp location).
If I access the URL http://localhost:8080/ft/login.jsp directly, right from
the start, I get
the login form presented. If I login with a correct username and password I
get the
following error displayed in my browser window:
HTTP Status 400 - Bad Request
and the URL is:
http://localhost:8080/ft/j_security_check
It's almost like the FORM authentication handler doesn't know where to go after
the
login suceeds. Is there anything I can do about this? The Java Servlet
Specification 2.3
document doesn't describe how this should be handled.
Along a similar line. Say my /ft/index.jsp page has a link to login
(/ft/login.jsp) and a
user takes it. Once the user is authenticated, how can I direct them to a
particular
page (as the next page from the login form)?
Another question. How do I logout? What I do right now is have a logout.jsp
page
that calls
<% session.invalidate(); %>
but is this the proper way of achiving a logout?
Yet another question. I would like to attach some information (ie, an instance
of a Java
class) to the session once the user is authenticated. It will contain things
like the user
id and name from the database. Is there any way of doing this? I suppose I
could have
code in all my servlets and jsp files that builds the instance and attaches it
to the session
if getRemoteUser() returns not-null and the session information isn't bound.
This is
tedious though and requires duplicated code in every servlet or jsp that
follows a login.
Again, I don't see anything in the Servlet spec. Actually, I consider this to
be a bit of
a short-coming (if you can't do it) in the servlet spec.
Thanks for the help,
Kevin.
____________________________________________________________
Do You Yahoo!?
Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
or your free @yahoo.ie address at http://mail.yahoo.ie