users@glassfish.java.net

Re: form login page outside war file?

From: <glassfish_at_javadesktop.org>
Date: Tue, 04 Dec 2007 10:19:55 PST

> But we have some pages that may be accessed from
> links in external
> sites, and they are protected with a
> security-constraint that uses the
> login-conf above. In standalone mode (deploying this
> web app without the
> others), /login.jsp is fine. But now I'd like to
> point it to the login
> page in another war. Is there any way to do this?

If you're using the container based FORM auth, you should just bundle the login.jsp with each WAR.

The configuration is based on a local JSP, not a global URL, so there's no real mechanism to have an external login page.

Forwarding doesn't work because that, too, only forwards to an internal resource (you can't Forward to, say www.yahoo.com for instance). Redirect won't work because they're a brand new request. There's no way for the system to embed the original destination URL, so the container login code may well store a copy in the session. But when you then redirect to an external page (in a separate WAR), THAT WAR does NOT have the original destination.

If you're motivated to dig in to the container code (or some kind soul is willing to share the detail with you), if you could get access to the original destination URL somehow on your login page (perhaps its some session variable, like I said), then maybe you could jump through these flaming hoops to get this to work.

Here's the horrible scenario.

Actually, forget it...you're basically writing a hacked SSO implementation, and there's no reason to do that. Too much hackery, not portable, yuck.

To fix this, I think you have two options. One, simply embed the common login.jsp and supporting files (images, whatever) in each WAR. That's straightforward, and takes no work.

The second is to use an external SSO provider (like Sun Access Manager/OpenSSO), and use it to log in. Then the login.jsp is tied to the SSO provider. By "external", I don't mean a new machine or new server, Access Manager installs as a WAR file, so it can plop in to your regular server (like the login WAR you were thinking about).

This takes more work, but may well not be traumatic. On top of that it works across containers (if you ever decide you need to break you applications up as load increases -- built in GF SSO won't span container instances).

I'd go with #1, but that's me.
[Message sent by forum member 'whartung' (whartung)]

http://forums.java.net/jive/thread.jspa?messageID=248472
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.