On Fri, 5 Oct 2001, Willie Vu wrote:
> Date: Fri, 5 Oct 2001 12:14:27 +0800
> From: Willie Vu <[EMAIL PROTECTED]>
> To: Craig R. McClanahan <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Subject: RE: Question on FORM based authentication in Tomcat 4.0
>
> Thanks for your prompt reply Craig.
>
> Your advice leads me to another question. OK, say I don't do that. I let
> Tomcat handle the login for me. However, you can bookmark the login page
> that Tomcat forwards them to. In this case, there is no way to stop users
> from access the login page directly. Tomcat will not have a previous
> request to forward user to. It results an error. How should I resolve this
> problem then?
>
It seems that you only have the following options:
* Tell your users "don't do that" and they listen.
* Tell your users "don't do that", and they don't listen, so they
keep getting errors.
* Switch to BASIC authentication so they cannot cause this kind of grief.
* Figure out a solution that works with the particular servlet container
you first deploy your application on (i.e. assume you can get Tomcat to
do what you think you want :-), but then have to redo everything when
you switch to a new container later.
* Use application-managed security instead of container-managed security.
* Get some new users :-)
Look ... the world is not a perfect place. Form based authentication is
GUARANTEED to cause portability problems if users insist on abusing it
(becuase it was specifically designed to emulate an existing web based
design pattern that is incredibly widely used). If you can't train users
not to abuse it, you are MUCH better off not using form-based
authentication at all.
> Regards,
>
> Willie
>
Craig
>
>
> > -----Original Message-----
> > From: craigmcc@localhost [mailto:craigmcc@localhost]On Behalf Of Craig
> > R. McClanahan
> > Sent: Friday, October 05, 2001 11:56 AM
> > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> > Subject: Re: Question on FORM based authentication in Tomcat 4.0
> >
> >
> >
> >
> > On Fri, 5 Oct 2001, Willie Vu wrote:
> >
> > > Date: Fri, 5 Oct 2001 11:27:59 +0800
> > > From: Willie Vu <[EMAIL PROTECTED]>
> > > Reply-To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> > > To: [EMAIL PROTECTED]
> > > Subject: Question on FORM based authentication in Tomcat 4.0
> > >
> > > I would like to achieve the following:
> > >
> > > - allow user to login directly without first accessing a protected area.
> > > After successful login, I want to forward the user to a default
> > mypage.jsp.
> > >
> > > To do the above, I have to detect if login page is accessed
> > directly. If
> > > so, I need to force in the default mypage.jsp. In Tomcat
> > 3.2.1, there is
> > > the session attribute "tomcat.auth.originalLocation" where I
> > can force in
> > > the default page. However, in Tomcat 4.0, a new Note API is
> > employed. It
> > > hides internal attributes from external use. So, the only hook -
> > > "tomcat.auth.originalLocation", is not available in Tomcat 4.0.
> > >
> > > I know that Servlet 2.3 spec doesn't spell out how to handle
> > direct access
> > > to the login page. I scan through the mail archive and notice a lot of
> > > people want to do this. Can someone give us a sound solution?
> > >
> >
> > It's not a solution ... just advice if you want your app to work ...
> > don't do that.
> >
> > My advice during development: make your app work with BASIC
> > authentication (where there is no such thing as a login page). That is
> > *exactly* the model that form-based login was designed to emulate. Then,
> > just before release production, add the <form-login-page> and
> > <form-error-page> directives pointing at the appropriate pges.
> >
> > If you don't design for that pattern, then you are just fighting what
> > container managed security is all about (which is a total waste of time),
> > and you are probably better off doing your own login management (instead
> > of using container managed security). There is absolutely no way you are
> > going to be happy if you expect users to attempt to bookmark, or link to,
> > the login page directly.
> >
> >
> > > Regards,
> > >
> > > Willie
> > >
> >
> > Craig McClanahan
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
