Serving content based on authenticated roles

Hi

I would like my users to authenticate (username/password) from the home page (index.html), or one click from the home page to use SSL. When the user is authenticated I would like the server to look up the user's role in a role table and serve them with content spedific to that role (or to send them to a session based role selector page if they have more than one role).

I'm considering Container Managed Security (CMS) using form-based authentication with DataSourceRealm and SSL on the server side.

However, when using CMS the user is directed to the form-login-page only when the user tries to access a constrained resource or servlet. So CMS acts more like a hurdle, while I would like it act a little more proactively.

Any clues on how on how I can get a user to authenticate before they try to access a constrained resource, and then serve them content based on their authentication details? (Using Ajax would be prefered).

Thanks

Marten

marten kay wrote:Hi

I would like my users to authenticate (username/password) from the home page (index.html), or one click from the home page to use SSL. When the user is authenticated I would like the server to look up the user's role in a role table and serve them with content spedific to that role (or to send them to a session based role selector page if they have more than one role).

I'm considering Container Managed Security (CMS) using form-based authentication with DataSourceRealm and SSL on the server side.

However, when using CMS the user is directed to the form-login-page only when the user tries to access a constrained resource or servlet. So CMS acts more like a hurdle, while I would like it act a little more proactively.

Any clues on how on how I can get a user to authenticate before they try to access a constrained resource, and then serve them content based on their authentication details? (Using Ajax would be prefered).

Thanks

Marten

Marten, how is your security constraint defined in web.xml. I mean to ask what are the resources in your webapp, you are constraining.

Hi Kumar

I am still in the design stages, so I can't give my web.xml example at the moment. However the scenario is this, the application is for teachers testing students so whenever a teacher logs in the page they see must be different to when the student logs in, and when the student logs in they should not be able to access the teacher's servlets or jsps.

My current thinking is to implement authentication myself and to have all requests to the app come through one servlet that authenticates (when details entered by user from index.jsp) and then based on roles found during authentication the request is delegated to an object to process the request. For future requests, the request would come through the same single servlet where the authority for the user is checked before delegating the request to an object to process. This seems simple enough to do, but I'm not too sure if it's a good idea to implement all security myself.

Marten