On Fri, 5 Oct 2001, Willie Vu wrote:
> Date: Fri, 5 Oct 2001 11:27:59 +0800
> From: Willie Vu <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Question on FORM based authentication in Tomcat 4.0
>
> I would like to achieve the following:
>
> - allow user to login directly without first accessing a protected area.
> After successful login, I want to forward the user to a default mypage.jsp.
>
> To do the above, I have to detect if login page is accessed directly. If
> so, I need to force in the default mypage.jsp. In Tomcat 3.2.1, there is
> the session attribute "tomcat.auth.originalLocation" where I can force in
> the default page. However, in Tomcat 4.0, a new Note API is employed. It
> hides internal attributes from external use. So, the only hook -
> "tomcat.auth.originalLocation", is not available in Tomcat 4.0.
>
> I know that Servlet 2.3 spec doesn't spell out how to handle direct access
> to the login page. I scan through the mail archive and notice a lot of
> people want to do this. Can someone give us a sound solution?
>
It's not a solution ... just advice if you want your app to work ...
don't do that.
My advice during development: make your app work with BASIC
authentication (where there is no such thing as a login page). That is
*exactly* the model that form-based login was designed to emulate. Then,
just before release production, add the <form-login-page> and
<form-error-page> directives pointing at the appropriate pges.
If you don't design for that pattern, then you are just fighting what
container managed security is all about (which is a total waste of time),
and you are probably better off doing your own login management (instead
of using container managed security). There is absolutely no way you are
going to be happy if you expect users to attempt to bookmark, or link to,
the login page directly.
> Regards,
>
> Willie
>
Craig McClanahan
