My site implements both personalization for all pages and security for sensitive pages. I'd like to have a single sign-on for both personalization and security, with personalization persisting indefinitely while security-access has a session-timeout. I'm planning to use a separate cookie for the personalization, created after any authentication. The authentication and sensitive pages should all be limited to https access, while the non-sensitive pages are accessed via http.
Non-sensitive pages do not have security-constraints as users are not required to login. If not logged in, the user sees a default unpersonalized view. A user may wish to manually specify a login to acquire his or her personalized view of a non-sensitive page. Is there any way to achieve this?
I can think of indirect partial solutions. E.g., link to a protected jsp page that takes as a parameter the desired non-sensitive page (e.g., the home page) and forwards to this page. This could work assuming I want just a button or link for the user-initiated login action (causing the attempt to access the security-constrained forwarding page to post the login-page). However, what if I would like to have a login-form directly on the page from which the user can initiate the authentication? Is this possible?
I tried placing. a copy of the form on the form-login-page onto the home page, and then submitted this form from the home page after a session-timeout from a prior session (that had been authenticated by a container-initiated posting of the form-login-page). The home-page form submission achieved the new authentication, but forwarded the request to the sensitive page that had been accessed in the earlier session's container-initiated authentication! That seems to be a bug.
I would appreciate any advice on how to best achieve this.
A corollary issue is that I'd like the submission of any login form to be made over https to protect the password, even if the page containing the login form was accessed via http. Can the solution to the above achieve this as well?
Thanks for any advice,
Chuck
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
