There's probably a much better way, but I like the fine-grained approach
I use. Unfortunately(or
fortunately) it requires *every* page you want access controlled to have
a <jsp:include> tag. The
included jsp file checks a session variable to determine if the user is
logged in, and whether or
not their 'role' is sufficient(my app-defined roles, not to be confused
with the role mechanism
contained within Tomcat itself) to access the resource - so the
jsp:included page either forwards them to login page,
notifies them they don't have the necessary priviledges, or lets them
pass through. For the proper jsp:forward after the
user successfully logs in (or if s/he already has the proper perms) I
just check a calling parameter which I set from the original calling
page(which is properly URL encoded) and jsp:forward the user to that
resource. You should check for null forwarding parameters in case
the access controlled page doesn't actually set it's forward address
properly(well worth your time). Probably a confusing
process, but it makes sense to me! ..and it's working on a large-scale
in-house production app - their are performance issues I'm sure
if your considering a super-large deployment.
If anybody has a better/quicker solution I'm interested.
>I have a quick question regarding Tomcat's form-based
>login. I have it working fine for pages that are
>listed as protected. For ex, if a user hits a
>protected page, they are redirected to a login page,
>we'll call it "login_required" that says the requested
>resource requires a login. If they fail the login,
>the error page, we'll call "login_invalid", appears
>which looks just like the login_required page except
>it says invalid login, please try again. If the user
>logs in correctly on any of these pages, they are
>redirected to the original protected page. This works
>But, the user can explicitly log in by clicking on a
>"log in" link everywhere on the site. I have a an
>idea of how to do this, but I have a couple of
>questions regarding this idea.
>I was going to create a "login_dummy" page, a
>protected page that is the source of all the "login"
>links throughout the site. When this page is hit, the
>whole forms-based login process will occur. When the
>user finally authenticates, the login_dummy page will
>just redirect them to the home page.
>The questions I have are 1) I would really like to
>direct the user to the page they were on when they
>clicked the "login" link. I can't figure out how to
>do that. And 2) This method requires that I use the
>"login_required" page described above (the form
>attached to the form-based login) which will contain
>text like "the requested resource requires a login,
>etc, etc." When they click on a login link, they
>aren't accessing a protected resource, they are just
>logging in. So, I really need a different login page
>(or just different introductory text). However, I
>don't know how to differentiate that I'm coming from a
>direct login link.
>The latter issue isn't a big deal, I could always just
>use a generic login page. Anyway, does anyone have
>any ideas of how I might be able to implement this?
>Do you Yahoo!?
>Check out the new Yahoo! Front Page.
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jaka... >For additional commands, e-mail: tomcat-user-help@jaka... >