Bookmarking the login page and then returning and logging in results in what I call an 'unsolicited login request' since the app server didn't send the user to the login form in the first place. The server doesn't know where to send the user when it gets such a request, so it fails as you observed. Different servers do different things in this situation, but it isn't supported by the Servlet spec, so you cannot count on it working.
That was one of the reasons I started the SecurityFilter project, which closely mimics container managed security with a few extensions. SecurityFilter allows you to specify a 'default page' that the server will redirect the user to when an unsolicited login request is received. It requires a Servlet 2.3 compliant server as it uses filters, but it might be a viable option for you if you are willing to do a server upgrade: http://securityfilter.sourceforge.net/ Otherwise, there isn't much you can do besides putting a message on the login page that recommends that users don't bookmark it. They can bookmark protected pages, and will simply be routed through the login form and taken to the bookmarked page upon successful authentication (assuming they have access rights). -Max ----- Original Message ----- From: "w i l l i a m b o y d" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Thursday, February 20, 2003 9:48 PM Subject: JDBCRealm - entering site through login page > hi all, > > developing on w98 with tomcat 3.2.24, mysql 3.23.26, struts 1.0.2, jsk > 1.3.1. will be deploying with same setup but on xp. i was taking a custom > authorization approach originally, using a Struts LoginAction for the > protected areas of my web app. but i thought a JDBCRealm would be a neat > thing to implement. so, i got my JDBCRealm configured, no problem. what > happens now, is when a user tries to load a protected resource, they are > taken to the login page. they login, and they're rerouted to the resource > they originally tried to access. sweet! > > however, if someone, say, bookmarks the login page itself, or loads > http://www.mydomain.com/login.jsp as the very first page they visited on the > site, then logs in successfully? then all bets are off right?. in that case, > i get a '404 page /protected_dir/null not found' message. of course, if they > give it a duff username/pass they get sent to my <form-error-page>, as > expected. > > forgive me if there is an obvious solution to this that i'm missing, but > it's 5 a.m., and i've been working on this for the last 12 hours; and > therfore not as sharp as i should be at the moment. > > what should i do to work around this? is there some way to point the login > page to a Struts Action servlet? and still use a JDBCRealm? i figured the > *only* action i was allowed to use with JDBCRealms was 'j_security_check', > with the requisite 'j_username' and 'j_password' form fields. no struts > actions allowed. is that right? > > or is there some way - using a JDBCRealm - to set a default page that login > would go to on a successful login, in the cases where a user hasn't > previously tried accessing a protected area, but instead simply tried > loading the login.jsp page itself, as the very first page the user visits > when they enter the site? > > any help anyone can give would be greatly appreciated. thanks in advance. > > will > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
