tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike W-M" <m...@ward-murphy.co.uk>
Subject Re: Workaround for login page direct reference
Date Tue, 17 Dec 2002 11:28:49 GMT
I'm going to have to sort this myself in the near future, but I don't quite
see how the fact that you can forward to the protected resource is going to
help?  Isn't Tomcat going to automatically redirect (not forward - the
distinction is important since redirecting will result in the login page's
URL showing up in the browser's address bar) to the login page you've
configured?   Actually... since redirecting causes the browser to initiate a
new request (for your WEB-INF/login page in this case), won't you get a
404-type error?

Someone posted in a similar thread the other day that they intended to check
a couple of things in the login page:
1. request.getRequestedSessionId() is *NULL* and
2. There is *NO* cookie named "JSESSIONID"
I think the theory was that these would both be true on the first occasion
the login page was accessed, but that if the user was already authenticated
then the conditions wouldn't hold so the page should redirect to the index
page.
It's not nice to be relying on a cookie name (what if they change it between
versions, or if cookies are turned off (though I'm not sure the
authentication works then anyway!)?) but I'm inclined to move in that
direction when it's my turn....

Mike.



----- Original Message -----
From: "Ben Jessel" <ben.jessel@morpheme.co.uk>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>; "Brett M.
Bergquist" <brett@thebergquistfamily.com>
Sent: Tuesday, December 17, 2002 10:55 AM
Subject: Re: Workaround for login page direct reference


I'll give that a go.

Thanks

Ben
----- Original Message -----
From: "Brett M. Bergquist" <brettmb@optonline.net>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>; "Ben Jessel"
<ben.jessel@morpheme.co.uk>
Sent: Monday, December 16, 2002 8:54 PM
Subject: Re: Workaround for login page direct reference


> Ben, I'm not sure but I believe that I've seen mention that you can
forward to a page that is not accessible to the outside.  That
> is, put the Login.jsp page within WEB-INF of your web app and it will not
be available to the outside world but you can forward to
> it from inside the web app.
>
> I don't know if this will work because I have not tried it but it might.
>
> Brett
>

...


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message