1 Reply Latest reply on Oct 5, 2002 10:59 AM by Richard Berger

    Can form-based authentication distinguish between different

    Richard Berger Newbie

      Folks:

      I am using form-based authentication (specified in the web.xml file). The protected URL is a dummy signin.jsp. When the user hits that they are redirected to login.jsp which is a form that collects username/password and sends the information to my testservlet. The servlet gets this information and calls JAAS to authenticate. This all seems to work fine - if the user/password is incorrect, my servlet can do the right thing.

      However, I think that there is something I am not understanding (or doing incorrectly). I protect the signin.jsp to be only visible to those in the Admin role (just as a test). However, if I login as someone who is in the User role, they still make it through the system. E.g. JAAS finds a username/password for them (since it exists) but it seems that the role they are in (User) has become disconnected from the <auth-constraint> in the web.xml file.

      Have I made a wrong turn somewhere? Or is the <auth-constraint> really just useful for determining "authorized" vs. "unauthorized" rather than differentiating between different roles.

      Thanks so much!
      RB

        • 1. Re: Can form-based authentication distinguish between differ
          Richard Berger Newbie

          An update here.... And a theory if anyone is reading....

          Instead of using my own servlet to process the user login (e.g. when the login.jsp is displayed when the user tries to access a protected page), I used the j_security_check approach. After a bit (see other post) it worked fine. If the user does not have the correct role, they get an error.

          So, my theory is that there are at least two situations:
          1) If you simply want to protect pages from being accessed by users without the proper authentication (and can live with username/password), then you can use the "j_security_check" approach, describe the roles/security in the various .xml files and everything will be fine.
          2) If you want to do something a little more custom - e.g. in my case if someone tries to reach a proteced JSP, I want them to login and then "start at the beginning" of my system. For this, I use a custom page and a custom JAAS CallbackHandler. However, in this case, I think that if I want to check roles, then I need to do it programmatically, I cannot do it declaritively in the container.

          Does anyone know if this theory is correct??

          Thank you so much,
          RB