Hello,
Unless I missed something I believe there is a deficiency in Form
Authentication mechanism.
Which does not let us to protect entire context:
When protected resource is entire context:
<url-pattern>/*</url-pattern>
tomcat enters endless loop
trying to call login form
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/login/login.jsp</form-login-page>
<form-error-page>/login/error.jsp</form-error-page>
</form-login-config>
</login-config>
I believe tomcat should call login forms without security checks. But it
looks like it is not the case.
Also, I don't know of any URL pattern which allows to exclude certain
patterns so what is a solution.
Any help is greatly appreciated
Alex
