Chris,
Thanks, yes, a "drive-by login" is what I am after. I am bummed that
Tomcat does not support this - it seems the common setup on most sites I
visit on the Net. (I suppose it is more accurate to that say I am bummed
that the J2EE standard does not define this behavior as Tomcat is only
implementing those rules.)
I agree with your view of isUserInRole() - but this is a large
application which I am loathe to change everything.
I will check out the packages you mention or role my own security using
a filter or similar.
Thanks again for the response!
Steve B.
Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steve,
On 6/29/2009 1:58 PM, Steve B. wrote:
I understand that Tomcat's FORM authorization setup expects me to secure
URL's and then let Tomcat invoke the login form before proceeding to
these URL's when requested.
However, I have a site for which we are creating a new layout which
includes a small login form in the left column. Throughout the site we
use roles defined in the web.xml (checked using isUserInRole() ). I see
many sites use this layout-embedded login form, so I expect there is
some way to set this up in Tomcat. Can someone point me at some info? I
am using Struts in case that matters.
So, you want to be able to invoke j_security_check without first having
requested a protected resource, right? I call this a "drive-by login",
and, unfortunately, Tomcat does not support this directly.
I switched to use securityfilter (http://securityfilter.sourceforge.net)
primarily for this reason. Alternatives include using ACEGI (or "Spring
Security" these days) (I think... Ihaven't used it so I don't know if
drive-by logins are supported) or writing your own authentication and
authorization mechanism. You could even patch Tomcat directly to allow
this kind of login, but you run the risk of tying yourself to a
particular version 9or even patch level) of Tomcat. That's why I
recommend using something like securityfilter.
I see many sites use this concept of putting the login form in the
template - does this setup require me to abandon Tomcat's
authentication/authorization mechanisms? My site has many pages and
features which all use the isUserInRole() - I dread having to recode the
whole site just for a simple login form.
FWIW, I find using isUserInRole to be tedious and possibly insecure
(that is, the page developer has to make these kinds of decisions,
instead of an application designer at a higher-level). Do you really
need to have role checking in your JSPs? Typically, by the time the view
is being rendered, permissions are somewhat irrelevant.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkpJGpIACgkQ9CaO5/Lv0PCv2QCgsFGy2sc7hIFK3R6dkub2MJIQ
qeAAn1TScfQZGla8LkTGP5lzdqJqdcFM
=GOhP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
