> And your question would be ???? OOOO - patronising already. > I am assuming that you are wanting a work-around. Well, if you get No I don't want a workaround - I've already got it working. I was pointing this out because a) it is conflicting behaviour in the two current versions of Tomcat (3.2.1 and TC 4) and b) the spec is silent on the behaviour and I was wondering if Craig or any of the other Tomcat authors would comment > Your problem stems from the fact that when users type in URLs the > request is made as a get, which you have disallowed. (This part you probably > knew) This is then sent to the error page, as a get, which generates an > error, which sends it to the error page as a get, and so on. Yes, and TC4 doesn't show this behaviour! Kevin Jones DevelopMentor www.develop.com -----Original Message----- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: 19 February 2001 14:21 To: [EMAIL PROTECTED] Subject: RE: Login And your question would be ???? I am assuming that you are wanting a work-around. Well, if you get Tomcat 3.2.2 (I think you still have to get it from CVS, but it should be release shortly) you will start getting 404 errors instead of infinte loops, I believe. Two work arounds: 1. What you probably want to do it to move everything in /foo to /foo/protected, except for login and error. Then disallow GET on /foo/protected/*. 2. What you probably don't want to do (but might) is to allow GET on /foo/login.jsp and /foo/error.jsp and disallow everything else (a hassle because you have to explictly disallow everything else and you must maintain the list in order to keep your site secure). Randy -----Original Message----- From: Kevin Jones [mailto:[EMAIL PROTECTED]] Sent: Monday, February 19, 2001 9:42 AM To: Tomcat-User Subject: Login I have a web-app that I want people to logon to. If the web-app is call foo, I put a constraint in web.xml stopping GET access to /foo/*. I then specify /foo/login.jsp and /foo/error.jsp as the login/error pages. Under TC4 this all works, I browse to http://localhost/foo, get re-directed to the login page and off we go. However, this configuration causes TC 3.2 to go into an infinite loop. The browsers asks for login.jsp and keeps getting re-directed to login.jsp because everything under /foo is protected. Kevin Jones DevelopMentor www.develop.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
