That is a trival check based on is there an authenticated user as indicated by the getUserPrincipal() method returning null. If that is all you want j2ee declarative security will work fine. This is not what I would call reauthentication as the user has not accessed any secured pages. When they do, the will at that point be authenticated and the getUserPrincipal() will return who they are.
xxxxxxxxxxxxxxxxxxxxxxxx Scott Stark Chief Technology Officer JBoss Group, LLC xxxxxxxxxxxxxxxxxxxxxxxx
Neal Sanche wrote:
Okay, I've seen such applications, including that on JBoss.org. When you initially arrive at the site, you are 'guest' which means you have been given a session, but have not authenticated. Then you can 'login' and then see other features of the application that weren't there when you weren't logged in. I'm guessing that none of this is done with J2EE and JAAS base authentication. This is simple session based stuff instead.
I'm just wondering if J2EE security can be used to get the same effect in JBoss, or not.
-Neal
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user