|Subject:||Re: Form Based Authorization Question|
|From:||Craig R. McClanahan (Crai...@eng.sun.com)|
|Date:||Jan 11, 2001 3:23:56 pm|
David Haraburda wrote:
I am implementing the Java Servlet Form based login mechanism in my web application, and had a question. Is it possible for me to have a "default location" that a user goes to when they login?
You can do such things at the application level, but container-managed security will not do it for you.
Have you ever signed up for a subscription-based web site that uses BASIC authentication? What happens is that the username/password dialog box pops up -- you answer the questions -- and are then forwarded to whatever URL you originally asked for (without having to resubmit the request).
The form-based login mechanism simulates a popup by remembering your original request, and then automatically executing it after you have authenticated yourself. The user experience is pretty much the same thing.
In many instances, a user will go directly to the login JSP, rather than requesting a web resource first (which then causes Tomcat to display the login page, and then redirect back to the resource after authentication). If they haven't requested a resource, I'd like the login to take them to their "home" (different roles have different homes in my application). The only way I see right now is to check and see if session.getAttribute( "tomcat.auth.originalLocation" ) is null, but that seems rather naughty... is this the only way of doing it. I have written my own Realm object (that extends BaseInterceptor) for authentication/authorization purposes. Could something be done in there?
The way I program a webapp that uses container-managed security is to never explicitly reference the login page (if any) at all. That servlet container will do the right thing to authenticate a user, the first time that a protected page is requested, if and only if the container does not already know who the user is.
This approach means I can switch between authentication methods (BASIC, DIGEST, FORM, or CLIENT-CERT) with zero changes to my application logic.
From within the app, you can tell whether the user has been authenticated or not by calling request.getRemoteUser() or request.getUserPrincipal().
Thanks once again for the help,