On 27 Aug 2002, Alexander Wallace wrote:
> Date: 27 Aug 2002 09:17:58 +0100
> From: Alexander Wallace <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: JDBCRealm + Form Based Auth. How do I tell it were to go if
> login is ok?
>
> Hello there. Very new to realms and java, so sorry if this is too
> stupid.
>
> I have set up a JDBCRealm using PostgreSQL and it all seems to work, It
> does connect and load the roles, and when I try to access protected
> resources, it does go to the Form based login I specigy in web.xml and
> the error page for that works too.
>
> My question is, since the form action in the login page points to <%=
> response.encodeURL("j_security_check") %>, how, or where do I specify
> where my app goes after a succesful login?
>
Short answer - your application should *never* reference the URL of the
login page, or the "j_security_check" page directly.
Longer answer - the basic philosohpy of form-based login is to mimic BASIC
login. The formal definition of the algorithm is in the servlet spec:
http://java.sun.com/products/servlet/download.html
in Chapter 12. Essentially, it goes like this on each request:
* Client submits a request for a particular URI
* Server determines of there is a security constraint
covering that URI
--> If none, allow the request to proceed
* Server determins if the user is already logged on
--> If so, check roles and allow or disallow access
* Server SAVES the original request and sends back
the form login page
* User submits the login credentials
* Server checks the credentials
--> If incorrect, send back the form error page
--> If correct, RESTORES the original request and proceeds
So, the answer to the question "where do I go after logging in" is "the
page you originally asked for that triggered the authentication dialog."
If the flow is still confusing, temporarily switch your application to use
BASIC authentication instead (where the browser pops up a
username/password dialog box). There is no way to address that dialog
box, right? Or to say where it should go afterwards? That's because the
browser (in the case of BASIC) is doing the same thing -- it will resubmit
your original request for you along with the username/password.
> Thanks in advance!
>
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
