According to Scott Gutherie's blog (http://weblogs.asp.net/scottgu/archive/2007/04/02/iis-7-0.aspx), it appeared that you can use forms authentication to protect a jsp website. I have a site that I need to have elementary protection over so that users can't go directly to the site without going through a portal using forms auth. So we set-up the site in IIS 6.0 and IIS 7.0, installed tomcat on IIS using the isapi_redirect and got the site up and working, no problem. Using another article from Scott:
http://weblogs.asp.net/scottgu/archive/2007/03/04/tip-trick-integrating-asp-net-security-with-classic-asp-and-non-asp-net-urls.aspx
We added wild card mappings and the isapi extension for .jsp. We had success with protect classic ASP sites using this same process, however we can't get it to work. These settings are simply ignored when it comes to the JSP pages. According to the 1st Scott Gutherie article, it appears that forms authentication is baked into IIS, so before IIS redirects processing to tomcat, IIS would catch the request first and apply forms auth.
Does anyone have any suggestions on some other implementations or fixes to this problem?
Thanks!
Sam