>>>>> "Rajesh" == Rajesh Kalluri <[EMAIL PROTECTED]> writes:
Rajesh> Hi All, Rajesh> I have set up container managed authentication with tomcat with form based Rajesh> login. Rajesh> <login-config> Rajesh> <auth-method>FORM</auth-method> Rajesh> <form-login-config> Rajesh> <form-login-page>/LoginForm.html</form-login-page> Rajesh> <form-error-page>/LoginError.html</form-error-page> Rajesh> </form-login-config> Rajesh> </login-config> Rajesh> -The entry point to my app is LoginForm.html. Rajesh> I let Tomcat take care of authenticating the users password and his role. Rajesh> I want to store the user profile including his email and some other Rajesh> information from the database into session scope based on <%= Rajesh> request.getRemoteUser() %>. Rajesh> At what stage is it recomended to do this in a struts application using Rajesh> contianer managed authentication. I'm not certain what you mean by "stage", but by the way you phrase this, I think you might misunderstand a little bit about how CMA works. By specifying a "login-config" element and a "security-constraint" element, you ensure that the URL patterns specified in the security-constraint will be "protected" by CMA. You don't "call" the login process at any point, and you certainly don't make your login page the "entry point" of your application. In addition, if you implement a proper JAAS configuration file, you specify how the container obtains authentication information to compare against what the user provided. You can also use the Tomcat-specific "realm" concept, but this isn't portable to other application servers. (And by the way, don't make the silly mistake of specifying a "url-pattern" in your "web-resource-collection" that is matched by the path to your login or error page. You'll get a glorious infinite loop, or an exception, if the app server is smart enough.) -- =================================================================== David M. Karr ; Java/J2EE/XML/Unix/C++ [EMAIL PROTECTED] -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>