I am using tomcat 5.5.23 to set up form based authentication. I have looked at the source code and ran the security/protected example that is provided with tomcat, and I have a question about the resources associated with the login-config. The two jsps defined in the login-config are in the security/protected directory, under which I thought all resources are protected. How is it then these two pages can be displayed without the user logging in? Or is there an exemption for those pages defined in the login-config?
[The reason I am asking is that I am trying to work out the best structure for my application. I want my login pages to contain images and css and those resources *will* have to be in an unprotected area. When I created a protected directory then I had all sorts of trouble with the path to the unprotected resources. My current structure is: /login.jsp /error.jsp /images/*.gif /application.css /protected/*.jsp /protected/images/*.gif but when I try to access protected/*.jsp tomcat brings up the correct login page but seems to think that all resources that are relatively defined in login.jsp are actually relative to the protected area. The only way I can fix this is to define absolute paths in my jsp, a solution which I am not particularly happy with (I saw an associated posting on this for a different version of tomcat: http://mail-archives.apache.org/mod_mbox/tomcat-users/200311.mbox/[EMAIL PROTECTED])] Any help with the original question would be much appreciated. Natalie Get the name you always wanted with the new y7mail email address. www.yahoo7.com.au/y7mail --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]