Stephan's suggestion has interested me a lot. If it works, it would definitely alleviate the pain many developers are sufferring in the aspect being discussed.
However, "post the login request to an unprotected servlet that in return does all the nice logins" as what Stephan said, could not be possible as in an unsecured realm, getPrincipal() and its counterparts return null. Can't do much really with null object (*sigh*).
If anyone has a breakthrough or two in this aspect, appreciate it if you could advise ?
Originally posted by Stephan Wissel:
Ok, if the front door is locked... lets use the backdoor then?
I did understand form based authentication this way:
User -> REQ Protected Realm -> Resp Login.form -> POST j_username, j_password -> j_security_check -> (if success) -> Resp (Session-Cookie) + Protected Realm.
What I didn't understand (yet): how does the Container know where to redirect the user after successful login (is there another field)?
Using that mechanism we could alter the login.html and post the login request to an unprotected servlet that in return does all the nice logins in legacy systems etc. AND uses an HTTPURLconnection to authenticate and put the Cookie in the original response. This way the container remains, well the container (black box).
Would that work?
;-) stw
P.S.: Or is there an API to provide your own authentication scheme?