• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Login-config Question

 
Ram Gokul
Ranch Hand
Posts: 85
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. Why is the <login-config> outside the <security-constrinat> node.

If my understanding is correct , only if a resource reequested by client is constrained ( that is they are defined inside URL pattern of security constraint) , then inorder to authenticate / authorize , the container brings up the Username / password prompt. If such is the case , shouldnt the login-config be inside the security constraint ? ( the same way as <transport-guarantee >.)

2. What is the default value of <login-config>
3. Does the login-config affect unsecured resource also.

Thanks
 
Charles Lyons
Author
Ranch Hand
Posts: 836
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<login-config> is used to specify the way in which you would like your users to login - for example, by Basic or Form authentication. It's separate from any particular <security-constraint> because usually you'll want the same authentication method to be used across all constraints in your application - doing it this way prevents you having to type the same thing multiple times, in every constraint.

However, there are times when I'd like to specify one type of login for one part of the site, and another type for something else. This can't be done in the current DD, but it would be a small but nice feature if they'd allow multiple <login-config>s and then add some form of identifier attached to each constraint specifying which login method to use. That way I could use Basic authentication for admin facilities (where no glamorous pages are required) and Form otherwise.

I think (you'd need to verify this) that BASIC is the default authentication method, but this could be container-dependent.
[ August 04, 2006: Message edited by: Charles Lyons ]
 
Ram Gokul
Ranch Hand
Posts: 85
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
IF user requests unconstrained resource , the one not in the URL-pattern of a security constraint , does the container still call the login-config authentication ?

Thanks
 
Charles Lyons
Author
Ranch Hand
Posts: 836
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No: if the resource is unconstrained, there is no need to perform authentication. Likewise, if the user is already logged in, the <login-config> authentication mechanism won't be invoked for a second time.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic