On Tue, Oct 01, 2002 at 09:39:21AM -0700, Karr, David wrote:
> I asked this a month ago on this list, but I didn't get a reply.
> ---------------------------------------
> If I have my web application configured with form-based auth, I can try to
> go to this URL (say):
>
> http://localhost/myapp
>
> and if I haven't logged in, it will send me to the login page. If I then
> enter the correct userid and password and click submit, it will send me to
> the page that the original URL would have sent me to. I have this working.
>
> However, even though it brought up the correct page, the URL field in the
> browser says this:
>
> http://localhost/mypapp/login/j_security_check
>
> I would think it would be better if it just said the original URL.
Under tomcat once you get redirected to the original restricted page, it
shows the URL for that page. So it sound like it's server specific. The
only time I see the j_security_check in the URL is when I get the 400
for " Invalid direct reference to form login page" that I just sent an
email about.
>
> Should I care about this? Is there anything practical I can do about this?
If you don't care how it looks, it probably doesn't affect anything
else. I doubt that there's anything you can do about it.
> Should I have a filter check for new sessions and immediately do a
> "redirect" to the application home page (which would force a single entry
> point)?
That's a design decision. Depends on lots of questions such as:
Do you want your users to bookmarke internal pages that they could go
to?
Do all your pages require authentication, etc.
>
> Note that I'm not certain yet whether I want to allow any entry point into
> the application, or restrict them to a single entry point. I would guess
> that if I restricted it to a single entry point, I could have an
> intermediate page just do a redirect to the real entry point.
>
> If it matters, I'm using OC4J 9.0.2 as my application server, on Win2k.
>
> ___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
--
Dror Matalon
Zapatec Inc
1700 MLK Way
Berkeley, CA 94709
http://www.zapatec.com
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
