Okay,
I was being stupid. I understand now, with form-based authentication when
you
request /mywebapp/private/somefile.jsp what you get back should just be
generated from the login page, then when you submit your credentials,
it returns whatever is generated from /mywebapp/private/somefile.jsp
So the redirection thing is just how it is implemented right now.
Stupid me.
-Mike
----- Original Message -----
From: "Michael Jennings" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, June 21, 2001 2:21 PM
Subject: Re: FORM-based authentication idea
> > It's kinda hard for them to bookmark the login page when they don't know
> > the URL.
> >
> > Keep in mind that, as far as the browser is concerned, the URL in the
> > location is still the page that was originally requested. Therefore, a
> > bookmark for the login form will actually be to the real page (which
might
> > again trigger authentication if they have exited and restarted before
> > following the bookmark).
>
> Right now I've got a web app set up with tomcat 3.2.2 using form-based
> authentication,
> when I request /WWAT2/user/welcome.jsp I get redirected to
> /WWAT2/login.jsp which I see in my address bar. Just for fun I bookmarked
> it,
> logged in, then I was redirected to /WWAT2/user/welcome.jsp (which was my
> original request)
> I logged out, then went to my bookmarked /WWAT2/login.jsp
>
> So it looks like I do see the login URL. (I have absolutely no links to
the
> /WWAT2/login.jsp anywhere)
>
> So what you are saying is that if a user doesn't see the login URL, there
> are no links to it in the web-app,
> the chances of them requesting JUST the login page of a web-app are so few
> and far between
> that handling that special case should just be ignored?
>
> Is there something wrong with my tomcat configuration? The form-based
> authentication
> works like a dream except for showing me the URL of the login page. The
> behaviour
> is fine.
>
> -Mike
>
> > And (at least for servlet 2.3, but Tomcat 4 doesn't do it right yet),
the
> > container is supposed to redirect to the originally requested page after
> > authentication is completed. The net effect of this is that the URL of
> > the login page is never visible to the user, unless you have
deliberately
> > linked to it in your user interface. That's one of the reasons such
links
> > should not exist.
> >
> > > > NOTE: If you don't like the philosophy of form-based login, the
> > > > appropriate forum is the feedback address for the servlet spec
> > > > ([EMAIL PROTECTED]), because that is where the
> requirements
> > > > for how Tomcat works are defined.
> > > >
> > > > Craig
> > >
> > > Thanks! I'll forward my suggestion on to them.
> > > -Mike
> > >
> > >
> >
> > Craig
> >
> >
>
