Form authentication from the home page

[Philippe Maseres <p....@citb.bull.net>]

Hello.

I read many things about the subject from several mailing lists or forums,
but none of them statified me. Some of them seem not to explain how actually
it should be possible, and others relies on application servers specific
features or intrusive modification of the container mechanisms. I suppose
it's not a specific Tomcat question, but its wide community will probably
give a quick feedback...

Here is my point of view :

* Most of applications must offer protected areas but also let users
navigate over free pages.
* Users can initiate authentication only when they want to access a
restricted area.
* The main home page should present the logon form, among other links or
forms, before any security constraint is detected.

The most interesting thing i read propose a Tomcat authenticator
modification with an added request parameter (j_redirect_url ?) that let the
application set the URL the container must serve after the authentication
completes. It's seems a good idea, but, unfortunately, the sevlet
specification didn't foreseen it !

Is there any 'pattern' or 'well-known practice' to achieve that ?

Thanks for answers...

Philippe Maseres


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Form authentication from the home page

[Martin Jacobson <ma...@libero.it>]

Philippe Maseres wrote:
> Hello.
> 
> I read many things about the subject from several mailing lists or forums,
> but none of them statified me. Some of them seem not to explain how actually
> it should be possible, and others relies on application servers specific
> features or intrusive modification of the container mechanisms. I suppose
> it's not a specific Tomcat question, but its wide community will probably
> give a quick feedback...
> 
> Here is my point of view :
> 
> * Most of applications must offer protected areas but also let users
> navigate over free pages.
> * Users can initiate authentication only when they want to access a
> restricted area.
> * The main home page should present the logon form, among other links or
> forms, before any security constraint is detected.
> 
> The most interesting thing i read propose a Tomcat authenticator
> modification with an added request parameter (j_redirect_url ?) that let the
> application set the URL the container must serve after the authentication
> completes. It's seems a good idea, but, unfortunately, the sevlet
> specification didn't foreseen it !
> 
> Is there any 'pattern' or 'well-known practice' to achieve that ?
> 

The following schema will work without breaking the servlet 2.3 spec, 
and without having to write any code. However, before explaining it, 
there are two provisos: 1) Your 'home page' must be the only page with a 
login form on it, 2) The links on your 'home page' must be to 
unprotected parts of the site - ie, you can get to them without logging-on.
Given that, it's easy!
There will be a page that is displayed once a user has logged-on - let's 
call it /priv/home (ie my.domain/myapp/priv/home). Either provide this 
as the url of your site, or have index.html forward to it. Thus, on 
first entry to your site, users will automatically go to this page... 
except that you will have mapped it as being in the protected part of 
your site. So, they won't see this page, but your login page, which is 
actually, your 'home page', complete with login form. If the user logs 
in, he will be authenticated, and forwarded to the logged-in home page 
he unwittingly requested in the first place, whereas, if he follows 
another link on the 'home page', aka login page, he will go there, 
provided it's not protected.
In addition, if you adopt the 'forward from index.html' scheme, you can 
switch to SSL in the process - I don't think that passing user names and 
passwords in the clear is a terribly Good Idea!

HTH
Martin


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org