Added question on login with multiple fields to faq

2008-06-01 15:25:39 +00:00 · 2008-06-01 15:25:39 +00:00 · 2a510f3539
parent 7c0f8b9756
commit 2a510f3539
1 changed files with 42 additions and 0 deletions
--- a/src/site/fml/faq.fml
+++ b/src/site/fml/faq.fml
@ -126,5 +126,47 @@ org.springframework.security.AccessDeniedException: Access is denied
    			</p>
    		</answer>
    	</faq>
+    	<faq>
+    		<question>
+    			I've configured the "requires-channel" attribute to use HTTPS for my login page and switch back to HTTP afterwards but I just end up back at
+    			the login page after authenticating. I'm using Tomcat. Why doesn't it work?
+    		</question>
+    		<answer>
+    			<p>
+    			This happens because Tomcat sessions created under HTTPS cannot subsequently be used under HTTP and any session state is lost (including 
+    			the security context information). Starting in HTTP first should work.
+    			</p>
+    		</answer>
+    	</faq>
+    	<faq>
+    		<question>
+    			I'm forwarding a request to another URL using the RequestDispatcher, but my security constraints aren't being applied. Why not?
+    		</question>
+    		<answer>
+    			Filters are not applied by default to forwards or includes. If you really want the security filters to be applied to forwards and/or includes, 
+    			then you have to configure these explicitly in your web.xml using the &lt;dispatcher&gt; element, a child element of &lt;filter-mapping&gt;.
+    		</answer>
+    	</faq>
    </part>
+	  <part>
+	  	<title>Common "How To" Requests</title>
+	  	<faq>
+	  		<question>I need to login in with more information than just the username. How do I add support for extra login fields (e.g. a company name)?</question>
+	  		<answer>
+	  			<p>This question comes up repeatedly in the Spring Security forum so you will find more information there.</p>
+	  			<p>
+	  			The submitted login information is processed by an instance of <i>AuthenticationProcessingFilter</i>. You will need to customize this class to handle
+	  				the extra data field(s). One option is to use your own customized authentication token class (rather than the standard <i>UsernamePasswordAuthenticatioToken</i>),
+	  				another is simply to concatenate the extra fields with the username (for example, using a ":" as the separator) and pass them in the username property of
+	  				<i>UsernamePasswordAuthenticatioToken</i>.
+	  			</p>
+	  			<p>
+	  				You will also need to customize the actual authentication process. If you are using a custom authentication token class, for example, you will have to write an 
+	  				<i>AuthenticationProvider</i> to handle it (or extend the standard <i>DaoAuthenticationProvider</i>). 
+	  			  If you have concatenated the fields, you can implement your own <i>UserDetailsService</i> which splits them up and loads the appropriated user data to use
+	  				for authentication.
+	  			</p>
+	  		</answer>
+	  	</faq>
+	  </part>
 </faqs>