Its not likely the j2ee declarative security fits here as there is no notion of reauthentication, and frankly, I don't know what it means here either. You would have to describe the user case in more detail.
-- xxxxxxxxxxxxxxxxxxxxxxxx Scott Stark Chief Technology Officer JBoss Group, LLC xxxxxxxxxxxxxxxxxxxxxxxx
Neal Sanche wrote:
Hi All,
One of the many mysteries that I haven't yet come to understand about securing web applications is the following:
Is it possible, with default web container security and JAAS domains, to allow a user to automatically log into a web application as 'Guest' and then at some later time allow them to log into the application as a registered user to unlock certain features of the web application based on their 'roles'.
So far, I've only been able to set a web security policy on an entire web application, or various parts of the web application, which forces the user to log in, showing either a FORM login, or a BASIC login whenever a user hits one of these 'barriers'.
Is there a way to set up JAAS so that a user's identity is assumed to be 'guest' until such time as the user reauthenticates?
Or is the J2EE built-in security model not used for this type of scenario? Is a custom security model (with cookies filters) the only way to write this type of security?
Thanks for any pointers you can give me.
-Neal
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
