tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Bug in FormAuthenticator?
Date Fri, 31 Aug 2001 20:26:33 GMT
While Tomcat should definitely react better than it does, it's worth
pointing out that you should ***not*** be accessing the login page
yourself.  Let Tomcat use it as needed, the first time a particular user
tries to access a resource protected by a security constraint.

Think about how BASIC authentication works - you never actually link to
the login pop-up window, right?  The server just displays it as necessary,
then completes the originally requested request.  The design of form based
authentication attempts to mimic that user experience.

Craig


On Wed, 29 Aug 2001, Bragg, Casey wrote:

> Date: Wed, 29 Aug 2001 22:37:16 -0500
> From: "Bragg, Casey" <Casey.Bragg@allegiancetelecom.com>
> Reply-To: tomcat-dev@jakarta.apache.org
> To: "'tomcat-dev@jakarta.apache.org'" <tomcat-dev@jakarta.apache.org>
> Subject: Bug in FormAuthenticator?
>
> I think the following action causes a bug :
>
> Tomcat 4.0b7 (not specific to this release)
> JDBCRealm (not specific to this realm)
> FormAuthenticator
>
> 1)Go to the URL of the specified login page (go directly to it).
> 2)Login correctly.
> 3)You will be sent to /null or /context/null.  (unless my configuration is
> screwed up)
>
> I think the problem is in the savedRequestURL method.  I don't know if this
> solution is mentioned in the spec, but it seems pretty important.
>
> This is how I think the code should be :
>
>     private String savedRequestURL(Session session) {
>
>         ...snip
>         if (saved == null) {
>             return (null);
>         } else {
>             // where config.getDefaultPage returns a page URL to
>             // go to if the Login page was requested directly
>             // (no request was saved).  I suppose this would be set
>             // the same way the LoginPage URL was specified
>             return config.getDefaultPage();
>         }
>         ...snip
>     }
>


Mime
View raw message