tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Armstrong <>
Subject Re: FORM-based authentication idea
Date Wed, 20 Jun 2001 23:05:29 GMT
Michael Jennings wrote:

> Hi everyone,
> I just wanted to bounce an idea off of everyone. In tomcat, when one
> specifies form-based
> authentication you have to tell tomcat which page is the login page. This is
> done
> via the context's web.xml file by setting the <form-login-page> property
> under the <login-config>
> section. When a user hits a protected URL in a context, if they are not
> already authenticated, the original
> request page is saved in their session, then they are redirected to the
> login page, if the login
> succeeds, they are redirected to their original request page.
> A problem happens however, when a user requests JUST the login page. After
> logging in,
> there is nowhere to redirect the user to since their is no original request
> saved in the session.
> What if there was a concept of a "default login target"? so that when a user
> requests just the
> designated login page, if they are already authenticated, they get
> redirected to the "default login target"
> page. Similarly, if a user requests the login page but they are not
> authenticated, upon logging in they
> would get redirected to the "default login target".
> I realize that this is probably not in the JSP spec, but something like this
> seems to be necessary.
> The alternative is to look for the presence of a session variable called
> "tomcat.auth.originalLocation"
> and set up a default from within the login page if that session variable
> isn't there.
> Any thoughts?

Why not supply the default in a hidden field on the login page?

Andy Armstrong, Tagish

View raw message