Form Based Authentication

I have been trying to use form based authentication without much success. I have a simple web application that gives access to some resources. I start with a login page and from this page I want to forward authorized users to the resources (web page). After configuring the web.xml file, how exactly do I state which page to forward to after a successful login?

I have read quite a bit of stuff about using j_security_check, but nothing tells me how to specify where to go after a user has logged in successgully.

Anyone wiht some light?

You don't specify that directly. You access the page, and -upon seeing that is protected- the server will redirect to the login page, and upon suscessful login, back to the page that was first requested. So the first page to access isn't the login page, it's the main content-bearing page.

Thanks, I suspected it would be so. Now, I get the first part. I have renamed made my main content page (index.jsp) and now indeed the server redirects to the login page (loginForm.jsp). I however do not go back to the original page requested when I type in my username and password correctly. I get the error page.

I am using a java db database as my credentials source. I think I have configured my server.xml file properly. The code below shows the relevant section from 'server.xml'

<Realm className="org.apache.catalina.realm.JDBCRealm"
debug="99"
driverName = "org.apache.derby.jdbc.ClientDriver"
connectionURL="jdbc:derby://localhost:1527/OfficeAppsDB"
connectioinName="admin"
connectionPassword="Passw0rd"
userTable="users"
userNameCol="username"
userCredCol="userpassword"
userRoleTable="user_roles"
roleNameCol="rolename"
/>


Is there anything I am missing out?

Apart from the obvious spelling error in the realm definition, the issue was two-fold.

The realm had to be defined in a separate file, not the 'server.xml' file. Apache uses this file to define its own realm used to allow users to actually start the server. For your own application, you must define your realm in the 'context.xml' file of the application (in NetBeans). This may be <application_name>.xml for other IDEs (perhaps Eclipse).

Also, the jar file for the database to be used for authentication had to be placed in the apache tomcat lib folder. This doesn't sound very scalable, but understandable if you are using a custom database for your credentials data source. Using LDAP would be handy, wouldnt it?

One small problem: the permission granted is somehow tied to the browser. I had another browser window (tab) open before launcing my application. After closing my tab and relaunching, I went straight to the 'protected' page.

How do I limit the authentication to the session and NOT the application?
[ March 28, 2008: Message edited by: Princeton Ebanks ]