On Wed, 28 Aug 2002, Mike Skells wrote:
> Date: Wed, 28 Aug 2002 19:21:49 +0100
> From: Mike Skells <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: 'Tomcat Users List' <[EMAIL PROTECTED]>
> Subject: Extended authentication
>
> Hi,
> I am developing an application where there is a need for extended
> authentication, in addition to that of usernam/password, some additional
> challenge/response
>
> Is there any way to protect a web app so that the extra parameters can
> be prompted for in a 'standard' way
>
> I know that I can use froms based authentication, but how do I separate
> the username/password validation from the forwarding of the request.
>
> Ideally I would like to validate the usernam/password, and then take the
> user to a subsiquent page that does additional validation.
>
> I had a look at JAAS to do this, but I cant see that this can be plugged
> into a web app, without redeveloping the web app to explicitly check,
> which rather defeats the purpose of the security system in the first
> place.
>
> Is there any way to do this. All that I can think of is by using a
> filter for all of the secure area which is processed after the security
> check pass, but this means a re-implementation of the facilities of the
> j_security_check which is hardly neat
>
> Any ideas
>
Doing any sort of validation that requires additional round trips to the
user is going to be pretty challenging to implement, and is not supported
portably by the servlet spec at this time. Basically, you are going to be
on your own in the mean time.
However, simulating your scenario for "subsequent page extra checking"
doesn't seem that difficult. A strategy like this would probably work:
* Define a session attribute that (if it exists) includes
the results of your extra checking.
* Add a Filter or some logic at the beginning of every page
that routes the user to your extra page if this session
attribute doesn't exist.
* The servlet that responds to the "extra page" form post
can create this session attribute and then redirect the
user back to the menu.
> Mike
>
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
