Re: "remember me" authentication?
Charl Gerber wrote: > Hi everyone, > > Does Tomcat provide default support in some way to implement a 'remember me' > feature for form based authentication? This should not be dependent on a > user's browser remembering the username/password, but by a checkbox you can > check/clear on the logon jsp. No. Tomcat implements the Servlet Spec, which does not currently include this functionality. > If so, where do I find it? If not, how can I implement it? My guess is that I > store the user credentials in a cookie, but how do I get every jsp/servlet in > my application that requires authentication to automatically retrieve this > and skip authentication? Sounds like a lot of overhead, unless Tomcat can > take care of it. > > Plan B, less desired, could be for the cookie to be read only in the logon > (via javascript) jsp and automatically fill the credentials. So the user only > have to type 'Submit' to logon. Not auto logon, but at least saves some > typing. Pretty much the same as the browser would have done it, except your > app now has control. Plan C: investigate the "SecurityFilter" project, which provides extra functionality including, I think, "remember me". p > Thanks! > > Charl > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: "remember me" authentication?
Plan C: go for the gusto and use Spring Security (aka Acegi). Learning Spring and Spring Security should keep you busy for the next year or so. Definitely looks good on the resume though. Charl Gerber wrote: Hi everyone, Does Tomcat provide default support in some way to implement a 'remember me' feature for form based authentication? This should not be dependent on a user's browser remembering the username/password, but by a checkbox you can check/clear on the logon jsp. If so, where do I find it? If not, how can I implement it? My guess is that I store the user credentials in a cookie, but how do I get every jsp/servlet in my application that requires authentication to automatically retrieve this and skip authentication? Sounds like a lot of overhead, unless Tomcat can take care of it. Plan B, less desired, could be for the cookie to be read only in the logon (via javascript) jsp and automatically fill the credentials. So the user only have to type 'Submit' to logon. Not auto logon, but at least saves some typing. Pretty much the same as the browser would have done it, except your app now has control. Thanks! Charl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: "remember me" authentication?
If the app maintains sessions, then the logon page can read the cookie, install some sort of User bean as a session attribute, and then all other pages need only check for the presence of a non- null value under that attribute. This even works for a logon-optional/remember-me (low security) setting where users can remain anonymous, but registering and logging in provides additional services. Ken Bowen On Feb 26, 2009, at 5:13 PM, Serge Fonville wrote: Does Tomcat provide default support in some way to implement a 'remember me' feature for form based authentication? This should not be dependent on a user's browser remembering the username/password, but by a checkbox you can check/clear on the logon jsp. if you google for 'jsp cookie' you will find http://www.roseindia.net/jsp/jspcookies.shtml If so, where do I find it? If not, how can I implement it? My guess is that I store the user credentials in a cookie, but how do I get every jsp/servlet in my application that requires authentication to automatically retrieve this and skip authentication? Sounds like a lot of overhead, unless Tomcat can take care of it. In any jsp page you can use include directives and inline java (scriptlet). Alternatively you can implement java beans to perform the authentication decisions. Any web application that uses authentication needs to perform these steps at every request (page view) Hope this helps. Regards, Serge Fonville - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: "remember me" authentication?
> > Does Tomcat provide default support in some way to implement a 'remember > me' feature for form based authentication? This should not be dependent on a > user's browser remembering the username/password, but by a checkbox you can > check/clear on the logon jsp. > if you google for 'jsp cookie' you will find http://www.roseindia.net/jsp/jspcookies.shtml If so, where do I find it? If not, how can I implement it? My guess is that > I store the user credentials in a cookie, but how do I get every jsp/servlet > in my application that requires authentication to automatically retrieve > this and skip authentication? Sounds like a lot of overhead, unless Tomcat > can take care of it. > In any jsp page you can use include directives and inline java (scriptlet). Alternatively you can implement java beans to perform the authentication decisions. Any web application that uses authentication needs to perform these steps at every request (page view) Hope this helps. Regards, Serge Fonville
RE: "remember me" authentication?
Doesn't seem too hard to do cookies, googling it finds pages like http://www.roseindia.net/jsp/jspcookies.shtml which can probably help you out. -Tony --- Manager, IT Operations Format Dynamics, Inc. 303-573-1800x27 abia...@formatdynamics.com http://www.formatdynamics.com -Original Message- From: Charl Gerber [mailto:charlger...@yahoo.com] Sent: Thursday, February 26, 2009 2:39 PM To: users@tomcat.apache.org Subject: "remember me" authentication? Hi everyone, Does Tomcat provide default support in some way to implement a 'remember me' feature for form based authentication? This should not be dependent on a user's browser remembering the username/password, but by a checkbox you can check/clear on the logon jsp. If so, where do I find it? If not, how can I implement it? My guess is that I store the user credentials in a cookie, but how do I get every jsp/servlet in my application that requires authentication to automatically retrieve this and skip authentication? Sounds like a lot of overhead, unless Tomcat can take care of it. Plan B, less desired, could be for the cookie to be read only in the logon (via javascript) jsp and automatically fill the credentials. So the user only have to type 'Submit' to logon. Not auto logon, but at least saves some typing. Pretty much the same as the browser would have done it, except your app now has control. Thanks! Charl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
