tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steven J. Owens" <>
Subject Redirecting Request To Login Form (J2EE form-based auth)
Date Tue, 28 Jan 2003 20:46:30 GMT
Hi folks,

     This just occurred to me... there's a gotcha with J2EE form-based
authentication ("broken as designed"), that it uses client-side
redirect to send the user to the login form, but if the user later
uses the Back key to get to the login form, or bookmarks the login
page, they get an error for trying to directly request it.

     Is there a way to put a client-side redirect in *before* the
security realm kicks in?  I.e. if they request: 

     I'd like them to get immediately redirected:

     (From which the normal form-based authentication redirect should
take over).

     What's the order-of-execution for this sort of thing, with
filters, realms, etc?  Can I specify a filter to act before the realm
does?  Would I have to put the login form outside the security realm?

     I guess I could put apache in front of tomcat and use an apache
redirect, but I'd rather not add an extra layer of application
complexity needlessly.

Steven J. Owens

"I'm going to make broad, sweeping generalizations and strong,
 declarative statements, because otherwise I'll be here all night and
 this document will be four times longer and much less fun to read.
 Take it all with a grain of salt." - Me at

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message