tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 8976] - Form Authentication Gives invalid direct reference to form login page
Date Sat, 24 Sep 2005 10:49:50 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=8976>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=8976





------- Additional Comments From tgeor@yahoo.com  2005-09-24 12:49 -------
I tried your solution in tomcat 4.1.31 and seemed to me not working because the
redirect url (j_redirect_url) should be one of securiry protected resources.

In my case I have login form in any page of my site so user can login from any
page and return to that page. To solve this problem I had to change
FormAuthenticator.java and AuthenticatorBase.java using your trick. 

When saved request is not found after j_security_login i save a request using
j_redirect_url and put a flag in a session note to indicate I'm redirecting from
login. Now, when AuthenticatorBase.invoke is called again it checks to see if
the page is in security constraints or redirect from login exists and call
authenticate again to restore saved url.

I will attach my solution because I believe a lot of developers wish that
feature, even if it is not compliant with servlet specs.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message