Here ya go... I used scriptlets for the example, but I used taglibs in actual code.
login.form--------------------------------------
<html><body>
<form method="POST" action="/loginAction.do" >
<table border="0" cellspacing="5">
<tr>
<th align="right">Username:</th>
<td align="left"><input type="text" name="j_username"></td>
</tr>
<tr>
<th align="right">Password:</th>
<td align="left"><input type="password" name="j_password"></td>
</tr>
<tr>
<td align="right"><input type="submit" value="Log In"></td>
<td align="left"><input type="reset"></td>
</tr>
</table>
Authenticated as:<%= request.getRemoteUser() %><br>
<% if(session.getAttribute("username") == null)
{out.println("Not Logged In");}
else
{out.println("Logged In as: " + session.getAttribute("username")+"<br><a href='/smartcafe/logout.jsp'>Logoff</a>");}
%><br>
</form>
</body></html>
loginAction servlet-----------------------------
//validate user
LDAPActor la = new LDAPActor();
String username = request.getParameter("j_username");
String password = request.getParameter("j_password");
boolean result = la.authenticate(username, password, LDAPActor.AUTH_BY_CN);
if (result){
//if principal is set then logout person
if (request.getUserPrincipal() != null)
{
session.invalidate();
session = null;
session = request.getSession(true);
}
session.setAttribute("username", username );
session.setAttribute("password", password );
//setup any additional vars
response.sendRedirect("index.jsp");
}
else
{
// invalid auth
response.sendRedirect("login.jsp");
}
web.xml-------------------------------------
<security-constraint>
<web-resource-collection>
<web-resource-name>
Testing</web-resource-name>
<url-pattern>/authentication/east.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>EAST</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Testing</web-resource-name>
<url-pattern>/courses</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Students</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>default</realm-name>
<form-login-config>
<form-login-page>/loginRouter.jsp</form-login-page>
<form-error-page>/authentication/error.jsp</form-error-page>
</form-login-config>
</login-config>
loginRouter.jsp page----------------------------------
<%@ page import = "java.net.*" %>
<%
if(session.getAttribute("username") != null && session.getAttribute("password") != null && request.getUserPrincipal() == null)
{
String username = (String)session.getAttribute("username");
String password = (String)session.getAttribute("password");
response.sendRedirect("j_security_check?j_username=" + URLEncoder.encode(username) +"&j_password=" + URLEncoder.encode(password));
}
%>
--------------------------------------------------
Within the servlet, the LDAPActor is an API I wrote to talk to LDAP. The login form is an include on home, secondary, or login page[not on loginRouter.jsp]. loginRouter.jsp is used as a redirection page. After the action, the username/password are kept in session but the user has not had to access a protected resource(PR). But the first time they try to attempt access a PR then they are sent to the loginRouter.jsp. Then, the router sends an authentication call. If valid they are sent to the PR they requested.
So in essence, the code lets the user save their username/password in session till when the system actually needs it.
[ February 07, 2002: Message edited by: Ray Lim ]
[ February 07, 2002: Message edited by: Ray Lim ]