Seems to me what you are doing wrong is allowing unguarded access to a page you think should be accessible only after login. Suppose the user gets to http://server/path/to/ProtectedPage.html by accident? Or by hacking around? I don't think depending on paths being "secret" is much security. Either the path should be unreachable via a standard HTTP (or other external) request or the page should protect itself. A more secure design would be to use JSP for all protected pages, and check for a valid login at start of processing each such page. Like a previous responder, I would love to hear what others think. Bob Bob Foster Symantec Internet Tools http://www.visualcafe.com ______________________________ Reply Separator _________________________________ Subject: Login revisited: forward() vs redirect() Author: Christopher Cobb <[EMAIL PROTECTED]> at Internet Date: 4/9/99 12:34 PM I am hitting a wall trying to implement my desired login architecture. What I want is this. A user wants to get to ProtectedPage.html, but I want to interpose a login-checking servlet, which forces the user to login if necessary, then sends them to the desired page after successfully login in. I am using the 'extended path' approach but the 'query parameter' approach could also be used to the same effect (and the same problems). The following works. User goes to http://server/servlet/GatewayServet/path/to/ProtectedPage.html I intercept this with my GatewayServet, forward() to a jsp page which does a login. Replies to the login with a second jsp page which confirms the login (I could probably eliminate this second page in the final version. This is mainly there to help me debug.) Then they press 'OK' which sends then back to: http://server/servlet/GatewayServet/path/to/ProtectedPage.html Notice that this is exactly the same URL that we started with. This feeds us back to the servlet, but this time it notices that the user has successfully logged in. All this works fine. Now the problem. If I try to use forward() to get to /path/to/ProtectedPage.html, it fails because static .html pages are not supported by forward. If, instead, I rename the target page to /path/to/ProtectedPage.jsp, and again try to use forward(), it will eventually hit a non-active source (a .gif or .html frame) and barf again. If it use sendRedirect() instead, then this gets us to the desired page, but the URL that appears in the user's browser is: http://server/path/to/ProtectedPage.html Notice that the GatewayServlet part has been eliminated. This is not what I want because the user could directly bookmark this page and get to it directly without going through the servlet guard. Other discussions on this list have indicated that this general approach works. What am I doing wrong??? cc =========================================================================== To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff JSP-INTEREST". For general help, send email to [EMAIL PROTECTED] and include in the body of the message "help".
