When your dispatcher does the translation, does it forward or include the 'actual' resource ? Meaning it takes place entirely server-side ? If you did a sendRedirect, that would then make the browser request the protected resource directly, which would invoke the AUTH, if the AUTH is configured correctly. And it looks right to me. What it sounds like is that once you are on the server-side (by requesting the un-protected /dispatcher resource) that any server-side forwards or includes are not being authenticated. I wasn't aware that was the case. It works this way for filters though, but in the next servlet spec (2.4) we'll have filter mappings being honoured for forwards and includes as well (configurable).
> -----Original Message----- > From: Ronnie [mailto:[EMAIL PROTECTED] > Sent: Friday, August 01, 2003 11:35 AM > To: [EMAIL PROTECTED] > Subject: FORM Login Bypassed > > > Hi! > > I have this web application using FORM login access but I am > having problem directing the navigation to the defined login > page when user clicks on a secure link. > > You see, I am using a DispatcherServlet as a navigation > controller to direct users to the correct page and the URL is > coded as: > > <a href="dispatcher?action=admin">admin</a> > > Where "dispatcher" is the URL name of the DispatcherServlet. > In the servlet, "admin" is translated to > "/computers/admin/index.jsp" from values coded in web.xml. > > Now when I declare the protected url-pattern as > "/computers/admin/*" as below, when I click on the above link > the login page is bypassed and I can access the admin index > page without logging in. > > <security-constraint> > <web-resource-collection> > <web-resource-name>Administration > functions</web-resource-name> > <!-- > <url-pattern>dispatcher?action=admin</url-pattern> Does > not work! --> > <url-pattern>/computers/admin/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <!-- Anyone with one of the listed roles may access > this area --> > <role-name>admin</role-name> > </auth-constraint> > > <!-- HTTPS/SSL--> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > <form-login-page>dispatcher?action=adminLogin</form-login-page> > <form-error-page>dispatcher?action=adminLoginFail</form-error-page> > </form-login-config> > </login-config> > > To overcome this I had to hardcode the link in my webpage as: > <a href="/Computers/computers/admin/index.jsp">admin</a> > > I wish to keep my navigation based on logical names. Is there > a work-around or solution to this problem? > > > > Regards, > Ronnie Choo > Singapore > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
