RE: formbased authentication: login.jsp is protected as well ?

Tue, 20 Feb 2001 06:00:09 -0800 


        Either move to Tomcat 4.0 (both login and error pages are not
protected, regardless of their location) or move all your webapp into a
subdirectory except for the login page.   They not be good choices, but they
are the only choices that I know of.

        Randy

-----Original Message-----
From: paul marshal [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 20, 2001 10:04 AM
To: tomcat-list
Subject: formbased authentication: login.jsp is protected as well ?


Hi !

I want to restrict access to the whole webApplication using formbased
authentication. ( not just a subdirectory as I've seen it 
in all the examples )
Here is what I tried in web.xml: 

<web-app>
<!-- all the mappings etc. -->

<security-constraint>
  <web-resource-collection>
    <web-resource-name>adminConsole</web-resource-name>
    <description>All adminConsole Pages</description>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  
  <auth-constraint>
    <description>admin console user</description>
    <role-name>adminConsoleUser</role-name>
  </auth-constraint>

  <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>

</security-constraint>

<login-config>
   <auth-method>FORM</auth-method>
   <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/login_error.jsp</form-error-page>
   </form-login-config>
</login-config>

</web-app>

The problem is, that the login.jsp that I configure in web.xml ( in
<login-config>...</login-config> is also part of the webApp and thereby
also 
access restricted. 
So when the container tries to forward to the login.jsp it would be
directed there again in an infinite loop. What really happens
is that I get a server generated error message saying something similar
to : 
"page moved."

How can I protect the entire webApp ?
Any help, ideas etc ??

Paul

-- 
Paul Marshall
[EMAIL PROTECTED]
089/26019-609

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

Reply via email to