On Thu, 21 Jun 2001, Michael Jennings wrote:
> > The best way to think about form-based login is like this:
> >
> > * The login page is (in essence) part of the container,
> > not the application. Therefore, ...
> >
> > * The login page should *never* be referenced directly by any
> > other application page, and ...
> >
> > * The login page should *never* be requested directly by the
> > user.
>
> How do you enforce that a particular URL should never be asked for by a
> user?
> Shouldn't the responsibility to handle that case rest with the JSP container
> and not the user?
Nope ... it's up to the application developer.
> Isn't that kind of like designing a user interface where a button shouldn't
> be clicked
> when the program is in a certain state and instead of making the button
> invisible
> or disabled when in that state, you simply say "well, the user shouldn't
> click that
> button when the program is in that state"
>
>
Why is the button there at all? There should be zero linkages to the
login page from *anywhere* in your user interface.
Think of the login page as part of the container, not part of the
application.
NOTE: If you don't like the philosophy of form-based login, the
appropriate forum is the feedback address for the servlet spec
([EMAIL PROTECTED]), because that is where the requirements
for how Tomcat works are defined.
Craig
