Thanks to everyone for the replies, useful info on Orion apart from anything
else !
Main ideas seem to be:
a). Programmatic login using RoleManager - Had looked at this, very useful but
the authentication isn't really the problem. What's needed after some code of
our own is the normal j_security_check behaviour, in particular go to the
originally requested page if sign-on succeessful. To use programmatic login
we'd need a way to identify the original url that triggered the sign-on page.
At worst one could program the entire security onself, but this seems
undesirable.
b). Servlet filter - Good idea, but have similar problems of what URL pattern
will select the post to j_security_check. Haven't yet found a pattern that
selects it.
But more generally, I'm finding I can't even use j_security_check by giving it
as the form action as per Servlet spec. If sign-on fails, the failed page is
displayed ok, but if sign-on succeeds, I get page not found with a url of
...appcontext.../j_security_check. I suspect this is the real problem, or at
least part of the story.
By the way, I gather from the Sun java forums that they're aware of the
limitations of the sign-on and user-admin aspects of the spec but have
deferred enhancements till after Servlet 2.3 so it can be looked into properly
rather than rushing minor tweaks into 2.3.
For info, I'm on Orion 1.4.5, just evaluating it as one of the possible
alternatives to our current IBM Websphere. Trying to keep to a single
code-base for both Websphere and J2EE-compliant servers, extending to allow
for any others we try.
Thanks
Mike
!
***********************************
NIG
The National Insurance &
Guarantee Corporation PLC
Reg. Office :
Crown House
145 City Road
London
EC1V 1LP
Registered in England & Wales No : 42133
***********************************
Legal disclaimer :
This message is confidential and for use by the addressee only. If the
message is received by anyone other than the addressee, please return
the message to the sender by replying to it and then delete the message
from your computer.
NIG does not accept responsibility for changes made to this message
after it was sent.
