tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Willie Vu" <willi...@yahoo.com>
Subject RE: Question on FORM based authentication in Tomcat 4.0
Date Fri, 05 Oct 2001 04:14:27 GMT
Thanks for your prompt reply Craig.

Your advice leads me to another question.  OK, say I don't do that.  I let
Tomcat handle the login for me.  However, you can bookmark the login page
that Tomcat forwards them to.  In this case, there is no way to stop users
from access the login page directly.  Tomcat will not have a previous
request to forward user to.  It results an error.  How should I resolve this
problem then?

Regards,

Willie



> -----Original Message-----
> From: craigmcc@localhost [mailto:craigmcc@localhost]On Behalf Of Craig
> R. McClanahan
> Sent: Friday, October 05, 2001 11:56 AM
> To: tomcat-user@jakarta.apache.org; willievu@yahoo.com
> Subject: Re: Question on FORM based authentication in Tomcat 4.0
>
>
>
>
> On Fri, 5 Oct 2001, Willie Vu wrote:
>
> > Date: Fri, 5 Oct 2001 11:27:59 +0800
> > From: Willie Vu <willievu@yahoo.com>
> > Reply-To: tomcat-user@jakarta.apache.org, willievu@yahoo.com
> > To: tomcat-user@jakarta.apache.org
> > Subject: Question on FORM based authentication in Tomcat 4.0
> >
> > I would like to achieve the following:
> >
> > - allow user to login directly without first accessing a protected area.
> > After successful login, I want to forward the user to a default
> mypage.jsp.
> >
> > To do the above, I have to detect if login page is accessed
> directly.  If
> > so, I need to force in the default mypage.jsp.  In Tomcat
> 3.2.1, there is
> > the session attribute "tomcat.auth.originalLocation" where I
> can force in
> > the default page.  However, in Tomcat 4.0, a new Note API is
> employed.  It
> > hides internal attributes from external use.  So, the only hook -
> > "tomcat.auth.originalLocation", is not available in Tomcat 4.0.
> >
> > I know that Servlet 2.3 spec doesn't spell out how to handle
> direct access
> > to the login page.  I scan through the mail archive and notice a lot of
> > people want to do this.  Can someone give us a sound solution?
> >
>
> It's not a solution ... just advice if you want your app to work ...
> don't do that.
>
> My advice during development:  make your app work with BASIC
> authentication (where there is no such thing as a login page).  That is
> *exactly* the model that form-based login was designed to emulate.  Then,
> just before release production, add the <form-login-page> and
> <form-error-page> directives pointing at the appropriate pges.
>
> If you don't design for that pattern, then you are just fighting what
> container managed security is all about (which is a total waste of time),
> and you are probably better off doing your own login management (instead
> of using container managed security).  There is absolutely no way you are
> going to be happy if you expect users to attempt to bookmark, or link to,
> the login page directly.
>
>
> > Regards,
> >
> > Willie
> >
>
> Craig McClanahan


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


Mime
View raw message