tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: tomcat.auth.originalLocation with Tomcat 4.X
Date Wed, 22 May 2002 00:49:02 GMT


On Wed, 22 May 2002, Victor Hadianto wrote:

> Date: Wed, 22 May 2002 09:40:57 +1000
> From: Victor Hadianto <victorh@nuix.com.au>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>,
>      victorh@nuix.com.au
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Subject: Re: tomcat.auth.originalLocation with Tomcat 4.X
>
> Hi,
>
> I've posted this quest a few days ago in the mailing list. Anyone know a good
> solution for this problem?
>
> I really appreciate any thoughts/suggestion on this problem

IMHO, you are trying to misuse form-based authentication.

The servlet spec requires that the container cache the *original* request
that triggered the authentication, and then replay it after the user is
successfully identified.  From the user experience point of view, it works
exactly like BASIC authentication does:

* User submits a request for a protected URI

* Container "pops up" the username/password dialog

* User fills in the form and submits

* Container replays the original request

Note that, at no time, does the user ever enter the "URL" of the login
page -- in fact, it doesn't really have one in BASIC authentication
(because it's actually created for you by the browser in that case).
User's simply ask for the pages they want, and containers simply challenge
for username/password when they don't know who you are.

Tomcat 3.x made a very poor design decision when they exposed the internal
mechanics of this as request attributes that were visible to application
level code.  Reliance on this feature locks you in to that particular
version of Tomcat -- it's not portable to Tomcat 4 or to any other servlet
container in the world.

>
> ta,
>

Craig McClanahan


> On Mon, 20 May 2002 14:16, you wrote:
> > I am using form-based authentication. With Tomcat 3.X when the user type
> > the login.jsp page directly I set the tomcat.auth.originalLocation
> > explicitly to tell tomcat where to forward.
> >
> > This doesn't seem to work anymore with Tomcat 4.0, although in my login.jsp
> > page (when the user is redirected to the login page, not accessing it
> > directly), Tomcat 4.0 does set the tomcat.auth.originalLocation, but it is
> > not used.
> >
> > Anyone has any workaround/solution?
> >
> > Regards,
>
> --
> Victor Hadianto
>
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message