Luke Taylor wrote:
> "Craig R. McClanahan" wrote:
> >
> > Chris Bartley wrote:
> >
> > > This thread seems to have gone off-topic a bit. What about Jens' original
>question about why ALL requests don't go through ActionServlet?:
> > >
> >
> > Ideally, that's what happens. Unfortunately, there are some practical realities
>that get in the way:
> >
> > * What about your welcome page? Usually, you want a URL like this:
> > http://myhost/myapp
> > to work, which will call up the index.html or index.jsp page. One approach
> > to this is to configure the URI of your login page as the "welcome" page
> > for the app, using the <welcome-file> element in web.xml.
> >
>
> I have had quite a few problems relating to this kind of thing - if you
> setup your login page as the "welcome" page, or indeed if the user
> accesses the login page directly, the container has no way of knowing
> where to go next after submitting the name and password to the
> j_security_check. We've been finding that JRun just hangs in this case.
> I reckon it would be preferable if the default was to go *to* the
> welcome page after a login with no previous cached request.
>
If you are using the form-based login mechanism supported by your servlet container,
you would generally make the welcome page that you display to
logged in users be the "welcome file" for this webapp. The form login page would
never be explicitly referenced (by the user) at all -- the
container will use it automatically the first time that your user attempts to access a
protected page.
>
> Any ideas on ways of circumventing this type of problem? I was
> previously submitting the logon information to an Action class and
> either overwriting or inserting the "requested page" information which
> was stored in the session, and then forwarding to j_security_check. But
> this is a bit flaky and not very portable.
>
You are definitely going to have problems trying to "intercept" the login information
and then forward to "j_security_check". For example, this
will fail in Tomcat 4.0, because it only recognizes "j_security_check" *if* the
container did the redirect to the form login page.
Think of the pages you declare for <form-login-page> and <form-error-page> as part of
the container, and not as part of your application.
>
> cheers,
>
> Luke.
>
> --
> Luke Taylor.
> PGP Key ID: 0x57E9523C
Craig
