tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roytman, Alex" <roytm...@peacetech.com>
Subject Form Authentication inconsistency
Date Wed, 15 Nov 2000 01:22:23 GMT
Hello,

Unless I missed something I believe there is a deficiency in Form
Authentication mechanism. 
Which does not let us to protect entire context: 

When protected resource is entire context:
      <url-pattern>/*</url-pattern>

tomcat enters endless loop


trying to call login form

   <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Example Form-Based Authentication Area</realm-name>
    <form-login-config>
      <form-login-page>/login/login.jsp</form-login-page>
      <form-error-page>/login/error.jsp</form-error-page>
    </form-login-config>
   </login-config>

I believe tomcat should call login forms without security checks. But it
looks like it is not the case.
Also, I don't know of any URL pattern which allows to exclude certain
patterns so what is a solution.

Any help is greatly appreciated

Alex

Mime
View raw message