Win a copy of Android Programming: The Big Nerd Ranch Guide this week in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Form-Based Authentication separate login page?  RSS feed

 
Sergey Lotvin
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I know that when one use Form-Based Authentication with Tomcat server, the login page will arise only if constrained URL was requested. If one create login page that can be called by URL and then enter valid user/pass, then he get an error:
HTTP Status 400 - Invalid direct reference to form login page

Idea is clear - in order to catch all requests to constrained pages login.jsp uses be server only by request. Then if credentials valid, the requsted URL will be shown. That is cool. But if I want login page also?...or a small area with username/pass field which is changed to
Welcome, Mr. President!
when president has logged in? (see picture)

Is it possible to implement with jsp/servlet/tomcat7/Form-Based Authentication? If not, what tools shall I use?

Wait a minute... I found the solution for link. I can name the link like but put the URL to any page, like "Hello, someone! Yo've successfully logged in." and make that page constrained. Then if click by link, Tomcat will show login.jsp, user enter valid data and goes to constrained page with "Hello, ..."

So, the question with login area remained...
 
Tim Holloway
Bartender
Posts: 18607
68
Android Eclipse IDE Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Servlet standard version 3.0 added 2 methods of interestto you.

The authenticate() method invokes the container login process - meaning that it can send you to the login form page, if using form-based login or initiate a challenge process that pops up a client-side login dialog.

The login() method invokes the security Realm's authenticator directly and is supposed to modift the current HttpServletRequest to reflect a successful login. It's what your login formlet would use.

There is no login/logout event as such that an app can listen for, but when the user is logged in, the HttpServletRequest getRemoteUser() method will return the login userid or null if the user is not logged in. The reason there's no event is that mechanisms such as Single Signon can have the user already logged in before visiting the application.

Be very careful when using these fancy login mechanisms. When you mix security and non-security elements on a single web page/server request, there's always a danger that you could create an exploit.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!