Hi, Steve and Chris. Steve, can you use AJAX to request a protected resource and to provide username/password to your real login page (configured at web.xml) or directly to j_security_check ? I don't know if this will work (and if this is what you have in mind), but:
1. Design your "unprotected" pages at your will (including a small login box); 2. When user fills the form in your small login box, - Send a JS XmlHttpRequest (AJAX) to a protected resource (for instance protected_resource.jsp); - Send a JS XmlHttoRequest to your real login page (login.jsp) or to j_security_check passing j_username and j_password extracted from your small login page (you can detect if login has failed or not using the response of XmlHttpRequest) ; - If is all right, reload the page or load any other resource that you want. Will it work ? On Tue, 2009-06-30 at 08:41 -0400, Steve B. wrote: > Chris, > > Thanks, yes, a "drive-by login" is what I am after. I am bummed that > Tomcat does not support this - it seems the common setup on most sites I > visit on the Net. (I suppose it is more accurate to that say I am bummed > that the J2EE standard does not define this behavior as Tomcat is only > implementing those rules.) > > I agree with your view of isUserInRole() - but this is a large > application which I am loathe to change everything. > > I will check out the packages you mention or role my own security using > a filter or similar. > > Thanks again for the response! > > Steve B. > > > Christopher Schultz wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Steve, > > > > On 6/29/2009 1:58 PM, Steve B. wrote: > >> I understand that Tomcat's FORM authorization setup expects me to secure > >> URL's and then let Tomcat invoke the login form before proceeding to > >> these URL's when requested. > >> > >> However, I have a site for which we are creating a new layout which > >> includes a small login form in the left column. Throughout the site we > >> use roles defined in the web.xml (checked using isUserInRole() ). I see > >> many sites use this layout-embedded login form, so I expect there is > >> some way to set this up in Tomcat. Can someone point me at some info? I > >> am using Struts in case that matters. > > > > So, you want to be able to invoke j_security_check without first having > > requested a protected resource, right? I call this a "drive-by login", > > and, unfortunately, Tomcat does not support this directly. > > > > I switched to use securityfilter (http://securityfilter.sourceforge.net) > > primarily for this reason. Alternatives include using ACEGI (or "Spring > > Security" these days) (I think... Ihaven't used it so I don't know if > > drive-by logins are supported) or writing your own authentication and > > authorization mechanism. You could even patch Tomcat directly to allow > > this kind of login, but you run the risk of tying yourself to a > > particular version 9or even patch level) of Tomcat. That's why I > > recommend using something like securityfilter. > > > >> I see many sites use this concept of putting the login form in the > >> template - does this setup require me to abandon Tomcat's > >> authentication/authorization mechanisms? My site has many pages and > >> features which all use the isUserInRole() - I dread having to recode the > >> whole site just for a simple login form. > > > > FWIW, I find using isUserInRole to be tedious and possibly insecure > > (that is, the page developer has to make these kinds of decisions, > > instead of an application designer at a higher-level). Do you really > > need to have role checking in your JSPs? Typically, by the time the view > > is being rendered, permissions are somewhat irrelevant. > > > > - -chris > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.9 (MingW32) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > > > iEYEARECAAYFAkpJGpIACgkQ9CaO5/Lv0PCv2QCgsFGy2sc7hIFK3R6dkub2MJIQ > > qeAAn1TScfQZGla8LkTGP5lzdqJqdcFM > > =GOhP > > -----END PGP SIGNATURE----- > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- "If there must be trouble, let it be in my day, that my child may have peace." Thomas Paine --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org