tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 4104] - Null savedrequest at FormAuthenticator.authenticate()
Date Fri, 12 Oct 2001 08:56:12 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4104>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4104

Null savedrequest at FormAuthenticator.authenticate()

Tonu.Poeld@andmevara.ee changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|DUPLICATE                   |



------- Additional Comments From Tonu.Poeld@andmevara.ee  2001-10-12 01:56 -------
I think it is very useful, in some cases, to have the login page referenced 
directly. For example if a web application needs a to show login form on a main 
page (is not a login page itself). The login form has text inputs j_username 
and j_password and will be submitted directly to j_security_check. In this case 
the /null page is returned to the user, as in case if login page were 
referenced directly.

I think that the best solution for this would be to have another parameter in 
web.xml "form-login-config" section. The parameter specifies the page, which 
will be returned if the login page were referenced directly and the login 
succeeded. But beacuse the servlet 2.3 specification doesn't say anything about 
it, then it does break the compatibility.

Another solution would be to redirected the user to the default page. If the 
requestURI is null then the Tomcat checks if the catalog of the login page has 
a default page. If the default page is present, then redirects the user to that 
page, else returns the BAD_REQUEST response. This solution raises the question: 
how to find the URI of the default page of the resource? I searched for this in 
the Servlet API and didn't find a clear answer. Maybe the RequestDispather 
could be used for this?

I know this bug is also present in Tomcat 3.2.2 (#4048). And at the moment I 
solved this by defining a /null mapping in web.xml. The servlet behind this 
mapping redirects the users to a default page.
For example:
   <servlet>
        <servlet-name>
            NullRedirector
        </servlet-name>
        <servlet-class>
           package.NullRedirector
        </servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>
            NullRedirector
        </servlet-name>
        <url-pattern>
            /login/null
        </url-pattern>
    </servlet-mapping>

Of course this is a bad solution, but I didn't find any better. But if in the 
future the BAD_REQUEST response will be returned, then I can't see any solution 
to have the this functionality? 

I also read Craig's comment (bug #3839) that swiching to BASIC authentication 
would break the application functionality if the login form is hyperlinked by 
apps pages. But in my case it is nessesary to have a login form on the main 
page of my application. 

Of course another solution would be to build the authentication/authorization 
login into web application, so the problem could be solved, but in this way I 
can't use many features of the Web container, for example: have the username 
returned by calling the request.getRemoteUser(), have the username logged in 
log file, etc...

Mime
View raw message