> Am I correct that when you configure a SAM that the
> authentication information provided in the web.xml is
> no long used?
yes, that is mostly true, The SAM can in effect override it all.
In otherwords I have form based
> authentication configured, but I don't get redirected
> to my form when I hit the secured resource. If this
> is a true statement is it possible to access the
> configuration information and find the login form and
> error page paths so that I can redirect the browser
> from my sam?
It my be possible, but I'l have to ask the servlet experts.
I'll let you know what I find out. If not, I'll see if I can a requirement to the servlet profile that the servlet container pass these values during module initialization.
Also, since this is all taking place in
> the validateRequest would I not return SEND_SUCCESS
> rather than SUCCESS since I would have already
> configured the forward in the response and no other
> processing would need to take place or am I again
> understanding this incorrectly.
when you return the login form, you should return SEND_CONTINUE, when
you validate the submitted username and password you should redirect to the restored initial request and return SEND_CONTINUE. SEND_SUCCESS may also "work" based on our implementation, but the spec reserves its use for a different case.
when the redirect comes back into the SAM, you would establish the security idenity associated with the request (typically by getting it out of the session, where it was stored before the redirect), and then you would return SUCCESS; which would cause the restored request to be passed on for processing by the servlet container.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=301698