tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jon Wingfield <>
Subject Re: How to prevent direct access to login.jsp
Date Tue, 09 Dec 2003 09:10:34 GMT
Tomcat 4.0.x, 4.1.x does a redirect to the login page specified in the 
Tomcat 5 does a forward so the login page url never reaches the browser.

There are a number of workarounds/hacks in the archives for tc4.
eg the thread "j_security_check - Bookmarking the login page. A teaser!"


Jacob Kjome wrote:
> At 01:54 AM 12/9/2003 -0500, you wrote:
>> > Put the file in something like WEB-INF/jsp/login.jsp.  Then either
>> > configure form-based authentication for the path to that JSP
>> I tried doing that, but when I specified /WEB-INF/jsp/login.html in
>> <login-config>
>>         <auth-method>FORM</auth-method>
>>         <form-login-config>
>>                 <form-login-page>/WEB-INF/jsp
>> /login.html</form-login-page>
>>                 <form-error-page>/WEB-INF/jsp
>> /loginError.html</form-error-page>
>>         </form-login-config>
>> </login-config>
>> The server tried to actually put that into the URL of the browser!  Am I
>> doing something wrong?
> Hmm... haven't use FORM auth in a while, but I thought the idea was to 
> show the login file content in at the requested URL, not the actual 
> location of the login form page.  What version of Tomcat are you using?  
> Maybe I'm misremembering what expected behavior is????
>> I can't really do your second option since I am not using struts. I am
>> using a much simpler custom MVC package that doesn't support things like
>> this very easily.
> It is a simple RequestDispatcher.forward() call to the form page.  The 
> forward will not force the browser to display another URL like a 
> redirect would.  Any MVC framework should support this.  It is part of 
> the servlet spec.
>> Would you be able to explain to me what I am doing wrong or how to set
>> up your first option?
> Try searching the list or look at the Tomcat docs for FORM Auth 
> configuration and expected behavior.  I'd be surprised if the behavior 
> you are seeing currently is expected.
>> Thanks,
>> Yaakov.
> Jake
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message