-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lb,
lightbulb432 wrote: > But if the login and login-error pages are the same page (meaning > that when someone fails an access check they get redirected to the > login-error page, which is actually the login page where they must > re-enter their credentials) how could you put information into the > request or session scope to be accessed by the page? You would have to do it manually. I dunno... count the number of times the page is displayed with no credentials? It's not a graceful thing to do by any means. What we do is have two separate pages: the login page, and the login error page which basically says "error=true; forward to login-page;". Then the login page looks for the "error" flag. You need two pages for this, though. I haven't tried it, but you might be able to make the login-error page something like "login.jsp?failed=true". That might work. > In fact, how could I add all sorts of state to the request so that > the message could read "Login failed for page ${failedPageName}" or > some other parameterized text? You don't have access to the saved request or anything like that. You might be able to hunt around for it, but there would be no guarantee that it would work across Tomcat versions, since it's not standard. > I agree completely. I've been having a lot of problems with Tomcat > authentication and authorization, and would like to use a custom > solution. I don't really see any problems... mainly shortcomings. > The only thing that deters me, and which applies to securityfilter as > well, is the lack of SSO across contexts. Yup; securityfilter doesn't do SSO. But, you could potentially write your own securityfilter-friendly SSO valve. Just look at the existing SSO Valve and you might be inspired. > The securityfilter projects says they're looking into SSO, but the > project looks inactive enough that I'm not going to hold my breath. securityfilter is all but dead AFAICT. Fortunately, it's pretty much got everything it needs right now. If you submit a patch or an idea, the maintainer will probably put it in; he's just not particularly motivated to add stuff to it right now. > I tried looking for other Java servlet security products or projects, > but nothing really came up. I think that's because most people are scared of "security" projects ant tend to rely on the container for the whole shebang. I think that's a reasonable stance. On the other hand, securityfilter already exists... why reinvent it? ;) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG1sTY9CaO5/Lv0PARAuFvAKCjMHDl5w3y3+6d70BcEiHYa8dLYQCdF5y9 Fs4N8yXfwJFjiQ5c3cJs3jg= =UKcc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]