tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin HaleBoyes <>
Subject RE: FORM-based login questions
Date Thu, 17 May 2001 15:57:15 GMT
Thanks for your help.

I've been browsing the archives for this list and have noticed that the
question about the mis-redirect from the direct-access to the login.jsp
comes up fairly often.  I'm wondering (haven't tried anything yet) if I
can set up the redirection manually if the login page is accessed directly.
Maybe by adding an appropriate header field in the request...
I wonder if Sun lurks on this list and acts on any of these (seemingly)
short comings?

I looked at the Tomcat source code for an answer about protecting
the login.jsp file/form itself.  Tomcat serves it up even if it is in a
protected url path.  I haven't tried it but I think that's what the code

Thanks again for your help.

-----Original Message-----

Date: Wed, 16 May 2001 14:50:36 -0700
To: "''" <>
From: "JULIEN,TIMOTHY (HP-NewJersey,ex2)" <>
Subject: RE: FORM-based login questions
Message-ID: <>

1. You are right that the spec doesn't say what to do when a login form is
accessed directly.  This is why Tomcat doesn't know what to do.  Two things:

a) don't let users access login form directly.  Not sure what happens in
Tomcat if you protect the login form.  At least you can remove all links to
the login form in your app.  This is actuallythe point behind login forms -
so you don't have to worry about it in your app, it just happens by magic.
b) the spec needs to change to handle the case where a login form is
directly accessed by a client.  My personal view is a welcome file should be
returned.  If there isn't one, then a 404 should occur.

2. there is no logout mechanism in Servlet.  Your solution is i think good.

3. you could use a filter that runs before every servlet which does this
work for you

-----Original Message-----

Do You Yahoo!?
Get your free address at
or your free address at

View raw message