One more proposal regarding form-based authentication: Right now, if you submit a form to a secured page, and have not authenticated, you are redirected to a login page. Any form parameters that you have submitted are not available to the login page. For a seamless / single sign on experience, it would be nice if the submitter could supply "j_username" and "j_password" and have the form decide if it wants to pick up and use that information for immediate authentication. Right now the only form of SingleSignon available is through cookies. If the calling application has valid credentials, it should be able to authenticate with the container.
I cannot see what part of the spec that this violates, but I very well could be missing something. Also, am I simply missing a better way to do this? We have an application where the user has already been authenticated and this same user is authorized to use Tomcat's manager and admin applications. Tomcat is using the same type of realm, so the credentials pass over directly. It would be nice to provide seamless operation between all of these web applications using standard Tomcat. Is this possible? We've made the code changes to make all of this happen as decribed in the first paragraph, but we want to be sure that this is a good thing to do, and if so, get our changes submitted back to Tomcat itself. (not wanting to patch them in every time Tomcat is re-released at which time we'll bag our current solution for a filter-based one). Thanks, Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
