You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Joakim Verona <jo...@verona.se> on 2000/12/18 19:35:00 UTC
getting a jsp file to always be executed on form-based authentification
hello,
i would like a certain jsp file to always be executed when form based auth succeeds, regardless of which
resource we are trying to get at, something like an event-handler for the auth event.
i cant really find a provission for such a function, other than having some session variable
to check against, and including the same piece of code in every page.
This is doable, but is there any more elegant solution?
I will need to make my own security interceptor at some stage. Should I take care of this need in
the interceptor?
--
Joakim Verona
joakim@verona.se
http://www.verona.se/
Re: getting a jsp file to always be executed on form-based
authentification
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Joakim Verona wrote:
> hello,
>
> i would like a certain jsp file to always be executed when form based auth succeeds, regardless of which
> resource we are trying to get at, something like an event-handler for the auth event.
>
> i cant really find a provission for such a function, other than having some session variable
> to check against, and including the same piece of code in every page.
>
> This is doable, but is there any more elegant solution?
>
Doing this goes quite a lot against the intent of what form-based authentication is all about.
Have you ever gone to a website with a protected area, where it popped up the username/password dialog box?
(In other words, you were using BASIC authentication). What happens is that you type in your
username/password and then you are sent to whatever page you originally requested.
Form based login is supposed to work exactly like that. The first time you try to access a page that is
protected by a security constraint, the servlet container will save your original request and present the
login page to you. Then, when you are successfully authenticated, your *originally* requested page is
displayed.
You will be able to tell whether the user is authenticated or not by checking the values returned by
request.getRemoteUser() and request.getUserPrincipal().
>
> I will need to make my own security interceptor at some stage. Should I take care of this need in
> the interceptor?
>
> --
> Joakim Verona
> joakim@verona.se
> http://www.verona.se/
Craig McClanahan