You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Adam Hardy <ah...@cyberspaceroad.com> on 2003/12/15 22:31:59 UTC
Re: Authentication Pattern
On 12/15/2003 06:05 PM Renato Romano wrote:
> it seems to me the simplest way to authenticate users is using form base
> auth, in conjunction with declarative security (declaring
> resources/roles in web.xml); the main problem with this approach in my
> opinion is handling several login pages, for example; moreover, in order
> to allow authentication to be performed on the home page, you need to
> "force" the client to make a request to a protected page (correct??!!),
> which seems not so clean!!
Whether it's not clean is a point of view: from another point of view,
why should someone login on your home page when you have decided not to
protect it?
> I read something about JAAS, but didn't understand, for example, once
> logged in what should be done with the Subject object obtained after the
> login process!!! Following requests are automatically recognized coming
> from an authenticated user, as with normal form based auth ?? I'm a
> little confused about all this stuff... The main goals I have are:
In your JAAS code you just give it to the container. The container does
what it has to with it. It's not a problem. But in the appservers I have
used (er well just tomcat) you don't get to see your Subject again. You
can query methods on the request object to find out about it, but that's
it.
> Allow login from the home page
Only circuitously as you have guessed.
> Allow login from several pages (I can specify only one login page in
> web.xml !) Make all this in a clean way (for example not redirecting the
> user to a reserved page for making tomcat present the login page !!)
Basically your idea of a clean way is ruling out the possibilities.
People do make use of CMS, but when they need the features you need,
they all end up using redirects.
Adam
--
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org