thanks a million, max! upgrading the server is not an option in this case i'm afraid. but i will most definately keep securityfilter in mind for future projects. also thanks for putting my mind at ease about this limitation of CMA in servlet 2.2. i thought it was just me overlooking something blatantly obvious. oh well, i can get some sleep now. ;�)
cheers, will ----- Original Message ----- From: "Max Cooper" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]>; "w i l l i a m b o y d" <[EMAIL PROTECTED]> Sent: Friday, February 21, 2003 6:07 AM Subject: Re: JDBCRealm - entering site through login page > Bookmarking the login page and then returning and logging in results in what > I call an 'unsolicited login request' since the app server didn't send the > user to the login form in the first place. The server doesn't know where to > send the user when it gets such a request, so it fails as you observed. > Different servers do different things in this situation, but it isn't > supported by the Servlet spec, so you cannot count on it working. > > That was one of the reasons I started the SecurityFilter project, which > closely mimics container managed security with a few extensions. > SecurityFilter allows you to specify a 'default page' that the server will > redirect the user to when an unsolicited login request is received. It > requires a Servlet 2.3 compliant server as it uses filters, but it might be > a viable option for you if you are willing to do a server upgrade: > > http://securityfilter.sourceforge.net/ > > Otherwise, there isn't much you can do besides putting a message on the > login page that recommends that users don't bookmark it. They can bookmark > protected pages, and will simply be routed through the login form and taken > to the bookmarked page upon successful authentication (assuming they have > access rights). > > -Max > > ----- Original Message ----- > From: "w i l l i a m b o y d" <[EMAIL PROTECTED]> > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > Sent: Thursday, February 20, 2003 9:48 PM > Subject: JDBCRealm - entering site through login page > > > > hi all, > > > > developing on w98 with tomcat 3.2.24, mysql 3.23.26, struts 1.0.2, jsk > > 1.3.1. will be deploying with same setup but on xp. i was taking a custom > > authorization approach originally, using a Struts LoginAction for the > > protected areas of my web app. but i thought a JDBCRealm would be a neat > > thing to implement. so, i got my JDBCRealm configured, no problem. what > > happens now, is when a user tries to load a protected resource, they are > > taken to the login page. they login, and they're rerouted to the resource > > they originally tried to access. sweet! > > > > however, if someone, say, bookmarks the login page itself, or loads > > http://www.mydomain.com/login.jsp as the very first page they visited on > the > > site, then logs in successfully? then all bets are off right?. in that > case, > > i get a '404 page /protected_dir/null not found' message. of course, if > they > > give it a duff username/pass they get sent to my <form-error-page>, as > > expected. > > > > forgive me if there is an obvious solution to this that i'm missing, but > > it's 5 a.m., and i've been working on this for the last 12 hours; and > > therfore not as sharp as i should be at the moment. > > > > what should i do to work around this? is there some way to point the login > > page to a Struts Action servlet? and still use a JDBCRealm? i figured the > > *only* action i was allowed to use with JDBCRealms was 'j_security_check', > > with the requisite 'j_username' and 'j_password' form fields. no struts > > actions allowed. is that right? > > > > or is there some way - using a JDBCRealm - to set a default page that > login > > would go to on a successful login, in the cases where a user hasn't > > previously tried accessing a protected area, but instead simply tried > > loading the login.jsp page itself, as the very first page the user visits > > when they enter the site? > > > > any help anyone can give would be greatly appreciated. thanks in advance. > > > > will > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
