On 04/02/2016 17:58, Bernhard Lenz wrote: > Are there any Tomcat developers in this forum that would like to pick up > below suggestion? I'm very interesting in hearing your opinion.
Web applications are meant to be independent. Instinct tells me to expect a lot of tricky edge cases. I think that, for the architecture described, you'd be better off using something like CAS. Mark > > Sincerely > Bernie > > On Wed, Jan 27, 2016 at 3:54 PM, Bernhard Lenz <bernh...@lenz.name> wrote: > >> I'm currently researching an architectural issue which has been pondering >> me for quite some time now. >> >> Tomcat is probably one of the most widely used web servers out there. >> It has some really nice build in features to implement authentication >> and authorization using >> Form Based Authentication and the SingleSignOn valve. Also the database >> realms with configurable table and column names and hashing of passwords >> are exactly what is needed to develop state of the art web sites. >> >> In my career I've almost exclusively come across (or worked on) web sites >> which consist of multiple war modules protected by a single site wide login >> page. Examples are myprofile.war for a customer to update his information, >> and admin.war for internal users to administer the site, etc etc. All wars >> are typically protected by a single login page which matches the style of >> the web page. >> >> However it appears that (based on the Servlet Reference Implementation) >> the login page can only live within each war's servlet context and >> therefore the login page must be copied into each single war. This makes it >> kind of hard to maintain the login page, and in case the page needs to be >> modified it must be changed in multiple places (namely in each war) instead >> of just in one place. >> >> In order to adapt Tomcat better to today's web development practices I >> would like to suggest an enhancement for Tomcat to provide some kind >> of host level declaration of a login page which overrides the web.xml >> definition or takes affect if the login page is not declared inside the >> web.xmls. For this the FormAuthenticator's forwardToLoginPage method would >> need to be modified to also offer a (conditional) redirect besides just a >> forward. In my simple mind such a change shouldn't be too difficult to >> implement. >> >> I also looked at glassfish's clone of Tomcat and saw that the glassfish >> team did add a redirect to the forwardToLoginPage method, although it >> appears not exactly for this purpose >> >> I'm curious to know your thoughts about this enhancement and how to best >> proceed with it? >> >> Sincerely >> Bernie >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
