The Login is primarily responsible for extracting the credentials from the request (typically username and password) and passing those to the ServletAuthenticator.
The Servlet API calls the Login in two contexts: directly from ServletRequest.getUserPrincipal()
, and during security checking. When called from the Servlet API, the login class can't change the response. In other words, if an application calls getUserPrincipal(), the Login class can't return a forbidden error page. When the servlet engine calls authenticate(), the login class can return an error page (or forward internally.)
Normally, Login implementations will defer the actual authentication to a ServletAuthenticator class. That way, both "basic" and "form" login can use the same DatabaseAuthenticator. Some applications, like SSL client certificate login, may want to combine the Login and authentication into one class.
Login instances are configured through bean introspection. Adding a public setFoo(String foo)
method will be configured with the following login-config:
@since Resin 4.0.0
<myfoo:CustomLogin xmlns:myfoo="urn:java:com.foo.myfoo"> <foo>bar</foo> </myfoo:CustomLogin>
|
|
|
|