Re: j_security_check - Bookmarking the login page. A teaser!

Wed, 19 Nov 2003 11:49:16 -0800

Yup. The error page only rarely comes into play (and is unrelated to the bookmarking issue). I've just tried it again to make sure i wasn't going mad:
If you try to access a restricted page you get punted to the login page.
If you then don't login until after the just created session times out you get a 400 error on j_security_check. The error page catches this and redirects back to the login page.
Not the nicest user experience but better (arguably) than an error page.

Jon

Andoni wrote:
Hi,

I have implemented this and on first sight it seems to work perfectly.  Can
you please just confirm my understanding of it though so I am sure I know
what I am doing:

1. The error page part need never really come in to play.
2. A user calls the login page and it basically is using the session's isNew
method to decide whether this is a session just newly created from a
bookmark or a session that was in existence before the login page was
displayed as would be the case with one that had been created in whichever
page had called index.jsp.

Thanks,
Andoni.

----- Original Message -----
From: "Jon Wingfield" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Wednesday, November 19, 2003 2:54 PM
Subject: Re: j_security_check - Bookmarking the login page. A teaser!



The bookmarking of the login page is a well known issue. However,
without dumping CMS there seems to be little to do but resort to a few
hacks ;(

Our hack pt1:
Add to the top of the login page a redirect to a sensible entry point
for the app:
<% if (request.getSession(false).isNew())
response.sendRedirect("/index.jsp"); %>

Our hack pt2:
Add an error page that catches the 'illegal direct reference to login
page' (or whatever it is). Use this error page to redirect to a sensible
entry point to the app.
eg:
<% Object badUri =

request.getAttribute("javax.servlet.error.request_uri");

   Object errorCode =
request.getAttribute("javax.servlet.error.status_code");
   if ("/j_security_check".equalsIgnoreCase(badUri.toString())
       && "400".equals(errorCode.toString())) {
       response.sendRedirect("/index.jsp");
       return;
   }
%>

Pt 2 also catches things like a user sitting on the login page until the
session times out.

HTH,

Jon 



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to