> I am using tomcat's session object, but i store a magic string in the
> session that i need to decode to see if it's a valid magic string and
> populate a LoginSession object if they're logged in... i was just hoping to
> do it without having some code at the top of every page, but it's not
> looking too possible atm... :(
Well, I'm not really deep into that stuff, but there are two things you can
add/modify: Filters and Authentication mechanisms. Tomcat allows you to define filters
that filter requests, they can do your "before doGet/doPost" action. Since you've
opted for non-standard way of authenticating, you might need a non-standard
authentication mechanism, since both Basic and Form authentication really switch to
HTTP Authentication (HTTP Headers), while you would like your own magic string in
session.
If you do it like that, you should have a modular solution, where your servlets/JSPs
would still call HttpRequest.isUserInRole() method, defined in Servlet specification
and it gets information from what was placed by the Filter. That way your web
application will be portable to any container and any authentication mechanism. If you
have a good reason for using *that* particular mechanism, then implement it on the
container side - don't introduce it to your Servlets and JSPs. Not just to avoid
repeating code.
Nix.
