https://issues.apache.org/bugzilla/show_bug.cgi?id=46902
--- Comment #5 from Konstantin Kolinko <knst.koli...@gmail.com> --- (In reply to Mark Thomas from comment #4) > I don't think that this Valve is generic enough to include in Tomcat. Agreed. > > I believe an additional option of > "forceLandingPageAfterAuth" that always redirected the user to the landing > page rather than their requested page would meet this requirement. This > should be fairly easy to implement. I think it does not match the OP's use case of iframes. In OP's use case #1 (Comment 3) request for protected resource http://mysite/protected/some_stuff.html goes to iframe. So the login form will be displayed in the iframe. Generally you wouldn't want login form in a iframe, so I think that the login page has to perform some logic to detect that it is an iframe and to change the URL of the containing page. In this case the form page shall adapt its behaviour depending on requested URI. Instead of displaying a form it shall redirect the top frame to /protected/index.html. (E.g. return a small placeholder page that changes top frame URL via javascript). If the top frame URL is /protected/index.html then after authentication the User will be directed to /protected/index.html, as expected. In OP's use case #2 (Comment 1) - request to a graphics-file, some JavaScript, a css-file. Again, the form page shall adapt its behaviour dependent on requested URI. It shall not return a HTML form instead of an image. A browser won't be happy to receive one. I think that instead of using "forceLandingPageAfterAuth" one shall implement a dynamic login form page that does check request URI, and when (requestURI != landingPageURI) it responds with 302 redirect to the landing page instead of displaying a form. Note "forceLandingPageAfterAuth" feature and using 302 redirect in login form differ in the URL that is displayed in location bar of a web browser during authentication. In case of "forceLandingPageAfterAuth": The URL displayed in location bar of a browser will be the one of the protected resource. It is confusing. After authentication you are not directed to that URL but 302-redirected to the landing page. What have you been authenticating for? In case of login form page sending a 302-redirect to the landing page: The displayed URL during authentication will be the same as the one after authentication - the landing page. I think that this behaviour is better. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
