Hello, I'm (still) trying to implement a web application for my school project. The idea is that everybody is allowed to see e.g. the default page (news), but only authenticated users can e.g. access grades.
So far, no problem. The web application builds up a menu based on the roles the user has. If the user isn't authenticated the menu won't display items for which the user has no privileges. On each page there is a login box with a target of j_security_check. Here I encountered the first problem. Jetty (and Tomcat) don't support direct requests to the login page (which I'm doing). Browsing through the sourcecode of jetty I found that jetty checks a session variabele called org.mortbay.jetty.URI to see where it should redirect the request after a succesfull login (see code below for snippet from FormAuthenticator). If I set this session variabele from my pages, all works fine. Except getUserPrincipal only returns the principal when accessing a protected resource..... This is definitely not what I want. I want to be able to tell who is viewing a page even if no security restrictions apply. Does anyone know how to change this behavior ? Thx in advance. ==== CODE FROM FormAuthenticator public UserPrincipal authenticated(UserRealm realm, String pathInContext, HttpRequest httpRequest, HttpResponse httpResponse) throws IOException { HttpServletRequest request =(ServletHttpRequest)httpRequest.getWrapper(); HttpServletResponse response =(HttpServletResponse) httpResponse.getWrapper(); // Handle paths String uri = pathInContext; // Setup session HttpSession session=request.getSession(true); // Handle a request for authentication. if ( uri.substring(uri.lastIndexOf("/")+1).startsWith(__J_SECURITY_CHECK) ) { // Check the session object for login info. String username = request.getParameter(__J_USERNAME); String password = request.getParameter(__J_PASSWORD); UserPrincipal user = realm.authenticate(username,password,httpRequest); String nuri=(String)session.getAttribute(__J_URI); if (user!=null && nuri!=null) { Code.debug("Form authentication OK for ",username); httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH); httpRequest.setAuthUser(username); httpRequest.setUserPrincipal(user); session.setAttribute(__J_AUTHENTICATED,user); response.sendRedirect(response.encodeRedirectURL(nuri)); } else { Code.debug("Form authentication FAILED for ",username); if (_formErrorPage!=null) response.sendRedirect(response.encodeRedirectURL (URI.addPaths(request.getContextPath(), _formErrorPage))); else response.sendError(HttpResponse.__403_Forbidden); } // Security check is always false, only true after final redirection. return null; } // Check if the session is already authenticated. UserPrincipal user = (UserPrincipal) session.getAttribute(__J_AUTHENTICATED); if (user != null) { if (user.isAuthenticated()) { Code.debug("FORM Authenticated for ",user.getName()); httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH); httpRequest.setAuthUser(user.getName()); httpRequest.setUserPrincipal(user); return user; } } // Don't authenticate authform or errorpage if (pathInContext!=null && pathInContext.equals(_formErrorPage) || pathInContext.equals(_formLoginPage)) return SecurityConstraint.__NOBODY; // redirect to login page if (httpRequest.getQuery()!=null) uri+="?"+httpRequest.getQuery(); session.setAttribute(__J_URI, URI.addPaths(request.getContextPath(),uri)); response.sendRedirect(response.encodeRedirectURL(URI.addPaths(request.getContextPath(), _formLoginPage))); return null; } ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user