Craig:
Aha! You have pointed out several sources of problems!
Might you also be able to answer the other questions I raised?
- If I omit <transport-guarantee>, does it default to NONE?
- Is it possible to use * for <http-method> to specify that all HTTP
methods are to be subject to security, or do I understand the cryptic notes
in server.xml to mean that if one or more http methods are specified, those
will be subject to security checks, but if no http methods are specified
that all will be subject to security checks?
Many thanks.
Mike
Message-ID: <[EMAIL PROTECTED]>
A couple of things to remember:
* Check the log files to ensure that the authenticator
has initialized itself correctly.
* You should set the <http-method> values to upper
case (GET and POST) instead of lower case.
* You should *not* be referencing the form login page
yourself in a request. Try referencing a URL inside
a protected subdirectory of your application, and Tomcat
will automatically display the form login page for you.
From a user experience point of view, this operates exactly
like BASIC authentication does, with the form login page
replacing the pop-up dialog.
* Because of the above rule, you do not want your login page
to be the welcome page for the app, as "/index.html" is
by default. Instead, you will want to either have an unprotected
welcome page, or redirect the welcome into a protected area.
* Due to a bug in Tomcat 3.2.1, the <form-login-page> and
<form-error-page> pages must *not* be within an area protected
by a security constraint.
Craig McClanahan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
