Hi!
I'm working in a project using
servlets (with Tomcat 3.2) and I have a question regarding the security
mechanisms described in servlet 2.2 spec and how to integrate them
with other aspects of the application than login (for example,
registration). More specifically, the application offers a registration form in
the home page (nothing new here) and a registration form in the same page as the
login form, which should be showed when a resource declaratively
marked as secure is being accessed (nothing new here). So, for my surprise, I
see no way to solve the next 2 problems inside the 2.2 spec (I'm using
FORM authentication):
1) in the registration form in
the home page there is no concept of a secured page to go once registered, but
the user should still be logged, so if I call j_security_check it's not defined
what would happen (and the solution is really dirty);
2) in the registration form in
the login page, if the user choose the registration way, the form can't be
directly submited to j_security_check because his/her information should be
saved before being completely lost.
I wanted to be standard, 2.2
standard! But instead I ended reading Tomcat request interceptors sources. Still
I'm looking for a clean solution. I obviously should set the session
j_username and j_password directly and this doesn't seem very portable. If I do
that and then move my servlets to other container than Tomcat nasty
things could happen. I think I would need to get the sources again (if
available) or to program all the security stuff by myself (idea!: using
j_username and j_password in the session to reuse my 6 lines of code). I can't
believe than servlet spec doesn't provide an API to authenticate the
user.
I'm urged to
know:
1) Is there a better
solution?
2) If not, will the solution I
proposed work?
Thank you
Carlos |
- Re: Login Form & Authentication Carlos Pita
- Re: Login Form & Authentication Carlos Pita