-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Andrew,
On 2/21/13 2:21 PM, Andrew Winter wrote: > On Wed, Feb 20, 2013 at 10:38 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > André, > > On 2/20/13 1:40 PM, André Warnier wrote: >>>> Andrew Winter wrote: >>>>> On Wed, Feb 20, 2013 at 5:13 AM, André Warnier >>>>> <a...@ice-sa.com> wrote: Okay, I have this resolved, now. I >>>>> went with the FORM authentication method and created a >>>>> servlet that will create a login screen on an isSecure() >>>>> connection. For standard HTTP requests I pass over a self >>>>> submitting form with the credentials included. This will >>>>> work for the human interfaces and I will just have to deal >>>>> with any programmatic access problems as I find them. >>>>> >>>> You could probably just "force" an authenticated user into >>>> Tomcat (userPrincipal and that kind of thing) when the >>>> connection is internal. That would also probably solve your >>>> programmatic access case. > > Or just use HttpServletRequest.login(String username, String > password). No need to force an actual form. > > I have tried the HttpServletRequest.login(String username, String > password). I find that it works if I put it in the servlet I made > for the FORM login. But it requires a second request to actually > reach the page. The first request serves to authenticate only. Is > there a way to do this so that I can get to the web app with the > same request that does the log in? I'm not sure exactly what you mean. In a typical FORM login configuration, the user has to request a protected page /first/, and then gets a login form as a challenge. After successful authentication, the user is redirected to the original resource and all is well. For your users, they can skip the login form altogether. If they attempt to access a protected resource before you call login(), they will get the login page which isn't what you want. Instead, you want them to hit a separate, non-protected resource that can call login() if they are connecting over HTTPS. You might be able to do it like this: All users hit an unprotected resource, e.g. /access /access is mapped to a servlet that a) detects whether HTTPS is in use and b) calls login if HTTPS and redirects to "home" page or c) redirects to "home" page which triggers the contained-managed authentication described above. Users who are using HTTPS and directly-request protected pages will always get the login page -- there's no way around that without writing a Tomcat Valve and loading it earlier in the valve chain than the authenticator valve. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlEmdW8ACgkQ9CaO5/Lv0PB1SQCfX8mtoJdqscZasFDEej2FnaPX Ou0AoJi0o5Jfj3Zn9sFDMOg0xmOhnvum =cgOw -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
