At 01:54 AM 12/9/2003 -0500, you wrote:
Put the file in something like WEB-INF/jsp/login.jsp. Then either
configure form-based authentication for the path to that JSP
I tried doing that, but when I specified /WEB-INF/jsp/login.html in
login-config
auth-methodFORM/auth-method
Tomcat 4.0.x, 4.1.x does a redirect to the login page specified in the
web.xml
Tomcat 5 does a forward so the login page url never reaches the browser.
There are a number of workarounds/hacks in the archives for tc4.
eg the thread j_security_check - Bookmarking the login page. A teaser!
Jon
On 12/08/2003 11:59 PM Chaikin, Yaakov Y (US SSA) wrote:
I realized that my user can mess himself by bookmarking the login page
he is asked to log in. The login.jsp appears in the URL address in the
browser...
Does anyone know how to avoid this? How do I block that URL for the user
and not for the
I had this excact problem some time ago.
You might search the archive for the subject line I used:
j_security_check - Bookmarking the login page. A teaser!
The problem was solved for me then.
Andoni.
- Original Message -
From: Chaikin, Yaakov Y (US SSA) [EMAIL PROTECTED]
To: [EMAIL
You could create a mapping for login.jsp that points to an error page from
your web.xml descriptor. Then you will only be able to get to login.jsp with
server side forwards.
On Tuesday 09 December 2003 05:33 am, you wrote:
I had this excact problem some time ago.
You might search the
to prevent direct access to login.jsp
On 12/08/2003 11:59 PM Chaikin, Yaakov Y (US SSA) wrote:
I realized that my user can mess himself by bookmarking the login
page
he is asked to log in. The login.jsp appears in the URL address in
the
browser...
Does anyone know how to avoid this? How do
I realize that you're asking if there is a Tomcat-configurable solution to
this problem but that isn't the best way to handle this in the Java
world.
The Tomcat-configurable way might be to force a directory (or web-app) to
force a new hit to the server instead of allowing the page to be
.
Yaakov Chaikin
Software Engineer
BAE SYSTEMS
301-838-6899 (phone)
301-838-6802 (fax)
[EMAIL PROTECTED]
-Original Message-
From: Tom Holmes Jr. [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 8:35 PM
To: Tomcat Users List
Subject: Re: How to prevent direct access to login.jsp
09, 2003 5:10 AM
To: Tomcat Users List
Subject: Re: How to prevent direct access to login.jsp
On 12/08/2003 11:59 PM Chaikin, Yaakov Y (US SSA) wrote:
I realized that my user can mess himself by bookmarking the login
page
he is asked to log in. The login.jsp appears in the URL address
I think there is another option that noone has mentioned yet :-P
When the login.jsp page is presented as part of the login process, there
will be some standard request attributes containing the original
requested page (I don't remember the names now, but you can find them in
the servlet spec).
Put the file in something like WEB-INF/jsp/login.jsp. Then either
configure form-based authentication for the path to that JSP or have your
MVC framework serve up that JSP page upon access to a protected
resource. The back button will never know the exact location of the page.
Jake
At 05:59
Put the file in something like WEB-INF/jsp/login.jsp. Then either
configure form-based authentication for the path to that JSP
I tried doing that, but when I specified /WEB-INF/jsp/login.html in
login-config
auth-methodFORM/auth-method
form-login-config
12 matches
Mail list logo