> The best way to think about form-based login is like this:
>
> * The login page is (in essence) part of the container,
> not the application. Therefore, ...
>
> * The login page should *never* be referenced directly by any
> other application page, and ...
>
> * The login page should *never* be requested directly by the
> user.
How do you enforce that a particular URL should never be asked for by a
user?
Shouldn't the responsibility to handle that case rest with the JSP container
and not the user?
Isn't that kind of like designing a user interface where a button shouldn't
be clicked
when the program is in a certain state and instead of making the button
invisible
or disabled when in that state, you simply say "well, the user shouldn't
click that
button when the program is in that state"
>
> Using form-based login pages in any other manner is just going to cause
> you grief, unless and until the servlet spec were changed to mandate a
> behavior like what you propose.
>
> NOTE: A primary reason that form-based login was designed the way it is
> was to emulate the user experience of how BASIC login works. With BASIC,
> you never reference the login page directly, right? It just pops up
> whenever you try to access a protected resource for the first time --
> then, you are transparently returned to the resource you originally
> requested. Using form-based login lets you manage the look-and-feel of
> the login page, but it should *not* be part of your application's normal
> flow.
>
> > Any thoughts?
> >
> > -Mike
>
> Craig McClanahan
>
