Some more ideas... In my application I never have a direct link to the login.jsp. Try to link either to any file that will be accessed after login (e.g. content.jsp) or link only to the secure directory that you mapped and let the welcome-file redirect link to index.jsp or whatever.
Doesn't solve the back button issue (check tomcat bug list), doesn't prohibit users to bookmark the login.jsp, but improves usability at least a bit by avoiding some opportunities to get errors. For your intermediate page thing I would suggest looking into using filters. Unfortunately nothing can prohibit the anyone from using the browser back button and try to relog again because in that back button case the login.jsp isn't even loaded again; so you can't even check for that error by any means. Michael > -----Original Message----- > From: Ben Jessel [mailto:[EMAIL PROTECTED]] > Sent: Dienstag, 17. Dezember 2002 13:43 > To: Tomcat Users List > Subject: Re: Workaround for login page direct reference > > > Thanks Mike, > > I guess, another workaround is that you could just invalidate > their session if they go to the login page.... Now, I still > don't see how all this is going help that "direct reference > to login page"....as it seems that I get this error if I go > to login.jsp and then enter in my details..... > > - Say the user goes to xxxx/login.jsp directly.... > - If we've protecteed that page Tomcat goes, no - "that's a > protected resource", and forwards to xxxx/login.jsp > Otherwise, tomcat just goes to the login page. > - You enter the user details, and then tomcat tries to > forward to the page you came from ( i.e login.jsp ), but > detects this is invalid ( presumably by comparing against > <login-page> in the web.xml, and displays an error - "direct > reference to login page".... > > What I'd really, really, like, is some way of having an > intermediate page where I can check the requestURI to find > out what page tomcat is going to redirect me *after* login, > so tomcat would give me > login.jsp?page_to_forward_to=blah.jsp... but alas, I don't > think I can... > > ----- Original Message ----- > From: "Mike W-M" <[EMAIL PROTECTED]> > To: "Tomcat Users List" <[EMAIL PROTECTED]> > Sent: Tuesday, December 17, 2002 11:28 AM > Subject: Re: Workaround for login page direct reference > > > > I'm going to have to sort this myself in the near future, > but I don't > quite > > see how the fact that you can forward to the protected resource is > > going > to > > help? Isn't Tomcat going to automatically redirect (not > forward - the > > distinction is important since redirecting will result in the login > > page's URL showing up in the browser's address bar) to the > login page you've > > configured? Actually... since redirecting causes the > browser to initiate > a > > new request (for your WEB-INF/login page in this case), > won't you get > > a 404-type error? > > > > Someone posted in a similar thread the other day that they > intended to > check > > a couple of things in the login page: > > 1. request.getRequestedSessionId() is *NULL* and > > 2. There is *NO* cookie named "JSESSIONID" > > I think the theory was that these would both be true on the first > > occasion the login page was accessed, but that if the user > was already > authenticated > > then the conditions wouldn't hold so the page should > redirect to the > > index page. It's not nice to be relying on a cookie name > (what if they > > change it > between > > versions, or if cookies are turned off (though I'm not sure the > > authentication works then anyway!)?) but I'm inclined to > move in that > > direction when it's my turn.... > > > > Mike. > > > > > > > > ----- Original Message ----- > > From: "Ben Jessel" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" <[EMAIL PROTECTED]>; "Brett M. > > Bergquist" <[EMAIL PROTECTED]> > > Sent: Tuesday, December 17, 2002 10:55 AM > > Subject: Re: Workaround for login page direct reference > > > > > > I'll give that a go. > > > > Thanks > > > > Ben > > ----- Original Message ----- > > From: "Brett M. Bergquist" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" <[EMAIL PROTECTED]>; > "Ben Jessel" > > <[EMAIL PROTECTED]> > > Sent: Monday, December 16, 2002 8:54 PM > > Subject: Re: Workaround for login page direct reference > > > > > > > Ben, I'm not sure but I believe that I've seen mention > that you can > > forward to a page that is not accessible to the outside. That > > > is, put the Login.jsp page within WEB-INF of your web app and it > > > will > not > > be available to the outside world but you can forward to > > > it from inside the web app. > > > > > > I don't know if this will work because I have not tried it but it > > > might. > > > > > > Brett > > > > > > > .. > > > > > > -- > > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > > > > > -- > To unsubscribe, e-mail: > <mailto:tomcat-user-> [EMAIL PROTECTED]> > For > additional commands, > e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
