True. If we eliminate the explicit "login" link entirely then
login-redirect.jsp can go away.
The (useful) function that login-redirect.jsp adds is that it engages in
a bit of logic to decide whether to shunt you straight to your single
weblog (in the case you have only one) or to a menu page with all of
them (in the case that you have more than one).
This seems to work properly now and it seemed worth keeping.
--a.
Matt Raible wrote:
With the Acegi Security integration, we don't really need the
login-redirect.jsp anymore. With CMA, you have to request a protected
resource before you can authenticate - but not so with Acegi Security. In
reality, we should never be linking directly to a "login" page because users
should only be prompted to login when they try to access a protected
resource. That begin said, if you hit login.jsp as your first page, and
then login - Acegi will take you to the default page/url that you've
specified.
Another thing we need to look at before we release 2.1 is that the Acegi
filter is mapped to /*. While this seems to work well with my site - it
might be a different story for JRoller and blogs.sun.com.
Matt
On 12/11/05, Anil Gangolli <[EMAIL PROTECTED]> wrote:
OK. I resolved this.
http://svn.apache.org/viewcvs?rev=355963&view=rev
The login-redirect.jsp page does seem to be used as the locus of the
selection logic for the multi v. single weblog case, so I don't think it
should be cut out, and it is properly expecting to follow authentication.
I have checked in the following fix. I added it to the scope of URI's
requiring authentication in the security.xml, which appeared to me to be
the correct thing (and which seems to work as expected).
Matt should probably check this.
I never saw any intermittentness in this bug. It happened every time
if you were not already logged in and didn't have a "remember me" cookie.
--a.
Allen Gilliland wrote:
I had just mentioned this one to Dave yesterday, but the strange thing
is that it doesn't happen all of the time, only intermittently.
I agree, we should be able to get rid of login-redirect.jsp now that
we have Acegi. I say go for it.
-- Allen
Anil Gangolli wrote:
login-redirect.jsp is calling
UserData user = rollerSession.getAuthenticatedUser();
which is returning null and it's passing it along. It looks like
it's expecting authentication to have taken place at that point, but
it didn't.
Should we be eliminating login-redirect.jsp here, and have the
explicit Login link directly to login.jsp? Is login-redirect
outmoded now with Acegi?
Anil Gangolli wrote:
The latest trunk build is giving me a Null Pointer Exception when
clicking the Login link (which leads to login-redirect.jsp).
I'm starting to look at this, but if anyone knows what's going on
already, let me know.
--a
java.lang.NullPointerException
at
org.roller.pojos.WebsiteData.hasUserPermissions(WebsiteData.java:1002)
at
org.apache.jsp.login_002dredirect_jsp._jspService(
org.apache.jsp.login_002dredirect_jsp:76)
at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:99)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at
org.apache.jasper.servlet.JspServletWrapper.service(
JspServletWrapper.java:325)
at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java
:295)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java
:245)
...
