|
»
»
« Return to Thread: How do I support a login form embedded in templates
Re: How do I support a login form embedded in templates
by Steve B.-4
::
Rate this Message:
Chris,
Thanks, yes, a "drive-by login" is what I am after. I am bummed that
Tomcat does not support this - it seems the common setup on most sites I
visit on the Net. (I suppose it is more accurate to that say I am bummed
that the J2EE standard does not define this behavior as Tomcat is only
implementing those rules.)
I agree with your view of isUserInRole() - but this is a large
application which I am loathe to change everything.
I will check out the packages you mention or role my own security using
a filter or similar.
Thanks again for the response!
Steve B.
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Steve,
>
> On 6/29/2009 1:58 PM, Steve B. wrote:
>> I understand that Tomcat's FORM authorization setup expects me to secure
>> URL's and then let Tomcat invoke the login form before proceeding to
>> these URL's when requested.
>>
>> However, I have a site for which we are creating a new layout which
>> includes a small login form in the left column. Throughout the site we
>> use roles defined in the web.xml (checked using isUserInRole() ). I see
>> many sites use this layout-embedded login form, so I expect there is
>> some way to set this up in Tomcat. Can someone point me at some info? I
>> am using Struts in case that matters.
>
> So, you want to be able to invoke j_security_check without first having
> requested a protected resource, right? I call this a "drive-by login",
> and, unfortunately, Tomcat does not support this directly.
>
> I switched to use securityfilter (http://securityfilter.sourceforge.net)
> primarily for this reason. Alternatives include using ACEGI (or "Spring
> Security" these days) (I think... Ihaven't used it so I don't know if
> drive-by logins are supported) or writing your own authentication and
> authorization mechanism. You could even patch Tomcat directly to allow
> this kind of login, but you run the risk of tying yourself to a
> particular version 9or even patch level) of Tomcat. That's why I
> recommend using something like securityfilter.
>
>> I see many sites use this concept of putting the login form in the
>> template - does this setup require me to abandon Tomcat's
>> authentication/authorization mechanisms? My site has many pages and
>> features which all use the isUserInRole() - I dread having to recode the
>> whole site just for a simple login form.
>
> FWIW, I find using isUserInRole to be tedious and possibly insecure
> (that is, the page developer has to make these kinds of decisions,
> instead of an application designer at a higher-level). Do you really
> need to have role checking in your JSPs? Typically, by the time the view
> is being rendered, permissions are somewhat irrelevant.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkpJGpIACgkQ9CaO5/Lv0PCv2QCgsFGy2sc7hIFK3R6dkub2MJIQ
> qeAAn1TScfQZGla8LkTGP5lzdqJqdcFM
> =GOhP
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@...
> For additional commands, e-mail: users-help@...
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...
Thanks, yes, a "drive-by login" is what I am after. I am bummed that
Tomcat does not support this - it seems the common setup on most sites I
visit on the Net. (I suppose it is more accurate to that say I am bummed
that the J2EE standard does not define this behavior as Tomcat is only
implementing those rules.)
I agree with your view of isUserInRole() - but this is a large
application which I am loathe to change everything.
I will check out the packages you mention or role my own security using
a filter or similar.
Thanks again for the response!
Steve B.
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Steve,
>
> On 6/29/2009 1:58 PM, Steve B. wrote:
>> I understand that Tomcat's FORM authorization setup expects me to secure
>> URL's and then let Tomcat invoke the login form before proceeding to
>> these URL's when requested.
>>
>> However, I have a site for which we are creating a new layout which
>> includes a small login form in the left column. Throughout the site we
>> use roles defined in the web.xml (checked using isUserInRole() ). I see
>> many sites use this layout-embedded login form, so I expect there is
>> some way to set this up in Tomcat. Can someone point me at some info? I
>> am using Struts in case that matters.
>
> So, you want to be able to invoke j_security_check without first having
> requested a protected resource, right? I call this a "drive-by login",
> and, unfortunately, Tomcat does not support this directly.
>
> I switched to use securityfilter (http://securityfilter.sourceforge.net)
> primarily for this reason. Alternatives include using ACEGI (or "Spring
> Security" these days) (I think... Ihaven't used it so I don't know if
> drive-by logins are supported) or writing your own authentication and
> authorization mechanism. You could even patch Tomcat directly to allow
> this kind of login, but you run the risk of tying yourself to a
> particular version 9or even patch level) of Tomcat. That's why I
> recommend using something like securityfilter.
>
>> I see many sites use this concept of putting the login form in the
>> template - does this setup require me to abandon Tomcat's
>> authentication/authorization mechanisms? My site has many pages and
>> features which all use the isUserInRole() - I dread having to recode the
>> whole site just for a simple login form.
>
> FWIW, I find using isUserInRole to be tedious and possibly insecure
> (that is, the page developer has to make these kinds of decisions,
> instead of an application designer at a higher-level). Do you really
> need to have role checking in your JSPs? Typically, by the time the view
> is being rendered, permissions are somewhat irrelevant.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkpJGpIACgkQ9CaO5/Lv0PCv2QCgsFGy2sc7hIFK3R6dkub2MJIQ
> qeAAn1TScfQZGla8LkTGP5lzdqJqdcFM
> =GOhP
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@...
> For additional commands, e-mail: users-help@...
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...
« Return to Thread: How do I support a login form embedded in templates
| Free embeddable forum powered by Nabble | Forum Help |
