I just completed doing something similar. You need to write a custom authenticator.
I got hung up an having to change my web.xml security constraint from FORM to MYFORM(or whatever you put in Authenticators.properties) -----Original Message----- From: Brett Spell [mailto:[EMAIL PROTECTED] Sent: Sunday, April 04, 2004 4:23 PM To: 'mailing list' Subject: Post processing on form authentication Hi, Please pardon my questions if they've already been asked and answered, but I've spent the better part of the past two days looking for answers in Google (including the Usenet archives) and the archives of this list. I'm using Tomcat 5.0 with form-based authentication and there are two features I'd like to implement: first, I'd like to be able to store some user preference information (retrieved from a database) into the HttpSession after a successful logon. Second, I'd like to be able to include a "remember my logon information" option (checkbox) on the logon form and keep the session from expiring if it's checked. Both of these would seem to require some sort of interaction with the form-based authentication process, but I don't know how to make that happen. During the time I've spent researching how to accomplish these two things, I saw suggestions or proposed solutions, but I have questions about what I saw. For storing user preference information in the session, someone suggested using a session listener. I understand how to do that, but how will I know which user has logged on when the session is created? I'm accustomed to finding out the user name from getRemoteUser() in the HttpServletRequest, but there is no such request (that I'm aware of, at least) associated with the event message that's generated by session creation. Is this the right solution to my problem and if so, what am I missing? Another suggestion I saw is to create a filter, which I'm pretty sure would work, but it seems like a lot of overhead to add to my application (to filter each request) for something that only needs to be done once at the initial logon. The "remember me" problem seems to be one that others have struggled with and I did see where someone had developed a solution, but I also saw comments on that solution that led me to believe that the person was essentially exploiting a bug in Tomcat. Is there a "correct" way to intercept the post to j_security_check and modify the session that it won't expire if the user has checked a box? Both of these things seem pretty basic and are things I've seen done on many web sites, so I'm surprised that I haven't found a straightforward way to do either one with Tomcat. Again, I apologize if these are questions that have been answered many times before, but I would appreciate any feedback on how to accomplish them. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
