I've used form-based auth with the JBoss server and mySql.
After passing authorization, the users url aims at a struts application.
I don't use struts, scriptlets, javascript or anything else on my login page
due to fear that a 'failure' of some kind would manage to confuse things and
possibly bypass security. I haven't had time to learn what I can get away
with
on the login page thus have played it safe.
The JBoss server/Tomcat 3.2 combination is working well as my personal
development tool and doesn't have any problems with struts that I know of.
Later,
Kurt
-----Original Message-----
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 12, 2001 1:59 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Form-based Authentication
On Tue, 12 Jun 2001, Abraham Kang wrote:
> RE: Form-based AuthenticationHi Jason,
>
> I should have been clearer.
>
> The only time that you do not want the login-form to specify
> "j_security_check" as its action is when you want to do some special
> preprocessing before the user is authenticated. By forwarding to a
servlet
> (I haven't tried this with an Action but it should work) you can do your
> preprocessing in the servlet and then do a requestDispatcher.forward( ) to
> j_security_check. This will allow you to do pre-processing and take
> advantage of the containers authentication realm.
>
WARNING: Although it might be supported by some containers, you are *not*
guaranteed by the servlet spec that you can portably play that sort of a
game. The spec clearly states that the form login page *must* have an
action of "j_security_check". (I haven't tried it, but I'm pretty sure
your technique would not work on Tomcat.)
> My guess is you are currently doing authentication against a database
> table. If you are using WebLogic you can use the DBMSRealm. This will
> probably mean you will need to add some tables to support the roles in
> WebLogic but now you don't need the authentication code in your actions.
> The container manages access to protected resources. You don't have to
have
> any scriptlets at the top of your pages as long as the regular expression
in
> the <url-pattern> of the <security-constraint> element of your web.xml
> matches all of your protected resources.
>
Tomcat supports a similar mechanism -- you can configure lookup of users
in a flatfile, in a database, or in a directory server. Each container
will provide it's own mechanisms for defining how and where users and
roles can be stored.
> --Abraham
Craig McClanahan
