Hi, Steve and Chris.
Steve, can you use AJAX to request a protected resource and to provide
username/password to your real login page (configured at web.xml) or
directly to j_security_check ?
I don't know if this will work (and if this is what you have in mind),
but:
1. Design your "unprotected" pages at your will (including a small
login box);
2. When user fills the form in your small login box,
- Send a JS XmlHttpRequest (AJAX) to a protected resource (for
instance protected_resource.jsp);
- Send a JS XmlHttoRequest to your real login page (login.jsp)
or to
j_security_check passing j_username and j_password extracted from your
small login page (you can detect if login has failed or not using the
response of XmlHttpRequest) ;
- If is all right, reload the page or load any other resource
that you
want.
Will it work ?
On Tue, 2009-06-30 at 08:41 -0400, Steve B. wrote:
> Chris,
>
> Thanks, yes, a "drive-by login" is what I am after. I am bummed that
> Tomcat does not support this - it seems the common setup on most sites I
> visit on the Net. (I suppose it is more accurate to that say I am bummed
> that the J2EE standard does not define this behavior as Tomcat is only
> implementing those rules.)
>
> I agree with your view of isUserInRole() - but this is a large
> application which I am loathe to change everything.
>
> I will check out the packages you mention or role my own security using
> a filter or similar.
>
> Thanks again for the response!
>
> Steve B.
>
>
> Christopher Schultz wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Steve,
> >
> > On 6/29/2009 1:58 PM, Steve B. wrote:
> >> I understand that Tomcat's FORM authorization setup expects me to secure
> >> URL's and then let Tomcat invoke the login form before proceeding to
> >> these URL's when requested.
> >>
> >> However, I have a site for which we are creating a new layout which
> >> includes a small login form in the left column. Throughout the site we
> >> use roles defined in the web.xml (checked using isUserInRole() ). I see
> >> many sites use this layout-embedded login form, so I expect there is
> >> some way to set this up in Tomcat. Can someone point me at some info? I
> >> am using Struts in case that matters.
> >
> > So, you want to be able to invoke j_security_check without first having
> > requested a protected resource, right? I call this a "drive-by login",
> > and, unfortunately, Tomcat does not support this directly.
> >
> > I switched to use securityfilter (http://securityfilter.sourceforge.net)
> > primarily for this reason. Alternatives include using ACEGI (or "Spring
> > Security" these days) (I think... Ihaven't used it so I don't know if
> > drive-by logins are supported) or writing your own authentication and
> > authorization mechanism. You could even patch Tomcat directly to allow
> > this kind of login, but you run the risk of tying yourself to a
> > particular version 9or even patch level) of Tomcat. That's why I
> > recommend using something like securityfilter.
> >
> >> I see many sites use this concept of putting the login form in the
> >> template - does this setup require me to abandon Tomcat's
> >> authentication/authorization mechanisms? My site has many pages and
> >> features which all use the isUserInRole() - I dread having to recode the
> >> whole site just for a simple login form.
> >
> > FWIW, I find using isUserInRole to be tedious and possibly insecure
> > (that is, the page developer has to make these kinds of decisions,
> > instead of an application designer at a higher-level). Do you really
> > need to have role checking in your JSPs? Typically, by the time the view
> > is being rendered, permissions are somewhat irrelevant.
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.9 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iEYEARECAAYFAkpJGpIACgkQ9CaO5/Lv0PCv2QCgsFGy2sc7hIFK3R6dkub2MJIQ
> > qeAAn1TScfQZGla8LkTGP5lzdqJqdcFM
> > =GOhP
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
--
"If there must be trouble, let it be in my day,
that my child may have peace."
Thomas Paine
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
