tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacob Kjome <>
Subject RE: How to prevent direct access to login.jsp
Date Tue, 09 Dec 2003 07:38:17 GMT
At 01:54 AM 12/9/2003 -0500, you wrote:
> > Put the file in something like WEB-INF/jsp/login.jsp.  Then either
> > configure form-based authentication for the path to that JSP
>I tried doing that, but when I specified /WEB-INF/jsp/login.html in
>         <auth-method>FORM</auth-method>
>         <form-login-config>
>                 <form-login-page>/WEB-INF/jsp
>                 <form-error-page>/WEB-INF/jsp
>         </form-login-config>
>The server tried to actually put that into the URL of the browser!  Am I
>doing something wrong?

Hmm... haven't use FORM auth in a while, but I thought the idea was to show 
the login file content in at the requested URL, not the actual location of 
the login form page.  What version of Tomcat are you using?  Maybe I'm 
misremembering what expected behavior is????

>I can't really do your second option since I am not using struts. I am
>using a much simpler custom MVC package that doesn't support things like
>this very easily.

It is a simple RequestDispatcher.forward() call to the form page.  The 
forward will not force the browser to display another URL like a redirect 
would.  Any MVC framework should support this.  It is part of the servlet spec.

>Would you be able to explain to me what I am doing wrong or how to set
>up your first option?

Try searching the list or look at the Tomcat docs for FORM Auth 
configuration and expected behavior.  I'd be surprised if the behavior you 
are seeing currently is expected.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message