> From: Alejandro Soto [mailto:smalejan...@gmail.com] > Subject: Re: filters on j_security_check
> call j_security_check from inside another servlet is > just an idea, why is bad idea? Because it's not supported by the spec; please read SRV.12. If you want to do programmatic security in addition to declarative security, you can use the getRemoteUser(), isUserInRole(), and getUserPrincipal() methods of the object implementing HttpServletRequest. You can, of course, completely roll your own programmatic security, but in that case you must not configure any spec-defined declarative security elements in web.xml. The field names j_username and j_password are for use by the web server to handle form-based authentication. You may customize the content of the form, but not the processing of the submitted form. Since the spec leaves the implementation undefined, Tomcat chooses to handle that with <Realm>s. If you want to perform additional checks, either create a custom <Realm>, or use the methods listed above. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
