On 21 Sep 2012, at 3:25 PM, Jeff Trawick <trawick@gmail.com> wrote:
>> 1: (why) do I need to specify the AuthName, Session, and authn
>> provider params (e.g. DBD query) in both the location I am protecting
>> and in the location that defines the form-login-handler?
You do, yes, because HTTP is stateless.
The original hit to your original protected URL (request 1) triggered a redirect to your login
page (request 2), which caused the end user to type a username and password and click submit
(request 3). By the time request 3 has happened, the server has no idea request 1 has happened.
Both request 1 and request 3 must be protected for the server to log you in.
>> 2: I'd like to say that an entire logical tree is protected, and have
>> a successful login redirect back to wherever the user tried to go in
>> the first place. However, the doc seems to be telling me that I need
>> to supply AuthFormLoginSuccessLocation with a specific URL in it.
>>
>> In other words, if I start out with
>>
>> <Location /protectedStuff/>
>> AuthType form
>> ...
>> </Location>
>>
>> and then I set up
>>
>> <Location /dologin.html>
>> SetHandler form-login-handler
>> ...
>> </Location>
>>
>> and the user navigates to /protectedStuff/banannas.html, I'd like a
>> successful login to redirect to that location, whereas if they
>> navigate to /protectedStuff/kumquats.html, ditto.
In this case, you want inline login, described at http://httpd.apache.org/docs/2.4/mod/mod_auth_form.html#inline
Regards,
Graham
--
|