You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Arieh Markel <Ar...@central.sun.com> on 2000/11/11 01:34:10 UTC
About Form-Login-Config
I am reading the (2.3) spec and am realizing that I am not able to
share a login page with multiple contexts.
In our (embedded) use of Tomcat, we have different contexts, but
we use a single login form/screen.
When configuring the web.xml for those contexts, I realize that there is
no way to have a successful form-login-page without it belonging to the
same context.
In our case, the login form is actually a servlet that belongs to the
default context.
I was hoping to be able to point at that (default context /login)
servlet from the other contexts.
One of the solutions could be to define a /login (the same) servlet
on all the various contexts.
(I will mention that I am defining my contexts as 'trusted').
(Another note: I am using 3.2)
If I do what mention in the last paragraph, I will end up with having
three different instances of the login servlet, right ?
------
An alternate approach could be to define 'login.html' files in those
contexts, and to have that file perform a Location redirect to the
default-context /login servlet.
------
I am wondering about the reasons that may have forced the definition
of a context-relative login-form as opposed to allowing a URL to be
specified.
Arieh
--
Arieh Markel Sun Microsystems Inc.
Network Storage 500 Eldorado Blvd. MS UBRM11-194
e-mail: arieh.markel@sun.COM Broomfield, CO 80021
Let's go Panthers !!!! Phone: (303) 272-8547 x78547
(e-mail me with subject SEND PUBLIC KEY to get public key)
Re: About Form-Login-Config
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Arieh Markel wrote:
> I am reading the (2.3) spec and am realizing that I am not able to
> share a login page with multiple contexts.
>
That's true (also true for servlet 2.2).
>
> In our (embedded) use of Tomcat, we have different contexts, but
> we use a single login form/screen.
>
> When configuring the web.xml for those contexts, I realize that there is
> no way to have a successful form-login-page without it belonging to the
> same context.
>
> In our case, the login form is actually a servlet that belongs to the
> default context.
>
> I was hoping to be able to point at that (default context /login)
> servlet from the other contexts.
>
> One of the solutions could be to define a /login (the same) servlet
> on all the various contexts.
>
> (I will mention that I am defining my contexts as 'trusted').
> (Another note: I am using 3.2)
>
> If I do what mention in the last paragraph, I will end up with having
> three different instances of the login servlet, right ?
>
Yes, assuming you have three contexts.
But that isn't going to be the worst of it -- a user's identity does not
propogate across web apps either, so a user that is using all three contexts
will have to authenticate themselves to all three web apps.
>
> ------
>
> An alternate approach could be to define 'login.html' files in those
> contexts, and to have that file perform a Location redirect to the
> default-context /login servlet.
>
Won't that cause the user to log in only to the default context?
>
> ------
>
> I am wondering about the reasons that may have forced the definition
> of a context-relative login-form as opposed to allowing a URL to be
> specified.
>
The reasoning for this was the same as the reasoning for everything else in
a web-app being context relative. The whole idea is that a web application
should be a stand alone entity, able to be deployed on *any* server that
supports the required API levels, without external dependencies.
The "escape valve" for cross-app authentication that the servlet spec
provides is the notion of supporting "single sign on" (Servlet 2.2, section
11.6, and Servlet 2.3 PFD, section 12.6). The basic idea is that a user
authenticates himself or herself to the first app in which they try to
access a protected page, and then this identity is remembered across all the
other apps running in the same server.
Unfortunately for your particular requirements :-(, none of the Tomcat 3.x
versions support this feature -- although Tomcat 4.0 does.
>
> Arieh
Craig McClanahan
Re: About Form-Login-Config
Posted by cm...@yahoo.com.
> (I will mention that I am defining my contexts as 'trusted').
> (Another note: I am using 3.2)
>
> If I do what mention in the last paragraph, I will end up with having
> three different instances of the login servlet, right ?
Right.
> An alternate approach could be to define 'login.html' files in those
> contexts, and to have that file perform a Location redirect to the
> default-context /login servlet.
An alternative approach could be to define a new authentication
Interceptor. ( that can be later extended to support single-login or other
authentication mechanisms )
Costin