If you're using security realms and form based login (not sure if you
are) then you shouldn't ever directly request the login page, simply
request the protected resource and let the contain send the login page as
required and then continue the user onto the requested
(protected) resource.
cheesr
dim
On Thu, 27 Sep 2001, Gerry Duhig wrote:
> Hi!
>
> I have configured a webapp to be deployed by the embedded Tomcat and
> use the JBoss security system to protect it. It works but there is a
> flaw I overlooked.
>
> The webapp is a login servlet and a number of html and jsp pages.
>
> I designed it so that JBoss protects all the pages and the login
> servlet and uses FORM authentication.
>
> If the user accesses the app in the "proper" way, the url directs him
> to the logiin servlet which is protected. JBoss puts up the FORM,
> authenticates the user and directs him to the servlet. He is logged in
> to our database, a cookie is written and he is redirected to the html
> pages. All is well.
>
> If he later (new session) uses his browser history to access an html
> page directly, JBoss intercepts, puts up the FORM and authenticates
> him, and he then gains access to the html page but has not run the
> login servlet and has no cookie which is required later in the
> process.
>
> How can I force the login servlet to be run whatever route the user
> comes in by?
>
> Gerry
>
>
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
