> Although I don't think this is the source of your problem, it strikes me > as odd to be protecting the root of your webapp when this is where the > "unprotected" page are as well (i.e., login.jsp, login_error.html) > [Gagnon, Joseph M] What can I say, I don't know much about what I'm > doing. That is a good idea. Didn't think it would matter much for such a > simple test.
Not a problem, we all go through a learning phase :) I'm not sure it would matter either frankly, but it seems like it might... if you request environment.jsp, the security intercept happens and tries to redirect to login.jsp, but that itself is protected, so ANOTHER intercept happens, etc. I'm not sure that will happen mind you, but I could imagine it happening, and your caught in a loop. Even if it is smart enough to avoid it there, what happens if you enter your password wrong and it tries to go to login_error.jsp? Same thing maybe, since it's protected too. Since I don't know for sure what will happen, better to avoid the unknown I figure :) > Actually, one other thing... the references to the login form and the > login error page in the <login-config> element I believe are relative to > the webapp root, so drop the Simple_JSP from the beginning of them so > they > are /login.jsp and /login_error.jsp respectively. [Gagnon, Joseph M] > How important is the leading slash? IIRC, it is required. I don't want to say what the difference is with or without it because I'm not 100% sure it's right, but the bottom line is I am reasonably sure uit has to be there. Again, not sure this is the problem, > but it could be. > [Gagnon, Joseph M] Hmm. That's an interesting point. I wasn't sure how > the path rules worked here. (i.e. whether you need to specify from the > server "root" (e.g. webapps) or if it was more from the specific > webapp's root. From what you're saying, it's the latter. Right, it's all context-relative, and the context is whatever webapp you are in, NOT the server root (in essence you can think there is no server root really, that will simplify it a bit... pretend whatever webapp your working on is all there is and you should be OK). > Also, there are perhaps some other things you need to do to tell Tomcat > to > use security... anyone else, does Joseph need to do anything to set up > the > UserDatabase resource[Gagnon, Joseph M] I have no idea what this is., or > is that set up by default? In server.xml, there is a <GlobalNamingResources> element... in here should be a definition for UserDatabase. I *think* it is there by default, but I was hoping someone else could confirm. There is also an <engine> element, and within this can be a <context> element, one for each webapp. It is not strictly required, but it allows you to set various things. It looks like the <engine> has to be "made aware" of the UserDatabase, via a <realm> element. This is Tomcat-specific stuff, and while I've hacked my way through it before, there must be someone reading this that can better guide you with this particular part of the equation. It may be set up by default, it may not, I don't know. Frank --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
