Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@www.apache.org Received: (qmail 80946 invoked from network); 9 Dec 2003 05:00:40 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 9 Dec 2003 05:00:40 -0000 Received: (qmail 84621 invoked by uid 500); 9 Dec 2003 05:00:01 -0000 Delivered-To: apmail-jakarta-tomcat-user-archive@jakarta.apache.org Received: (qmail 84602 invoked by uid 500); 9 Dec 2003 05:00:01 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 84588 invoked from network); 9 Dec 2003 05:00:01 -0000 Received: from unknown (HELO rwcrmhc11.comcast.net) (204.127.198.35) by daedalus.apache.org with SMTP; 9 Dec 2003 05:00:01 -0000 Received: from nicki.visi.com (c-24-118-19-12.mn.client2.attbi.com[24.118.19.12]) by comcast.net (rwcrmhc11) with SMTP id <2003120905001001300mtr3pe>; Tue, 9 Dec 2003 05:00:11 +0000 Message-Id: <5.2.1.1.0.20031208225659.02aba598@shell.visi.com> X-Sender: hoju@shell.visi.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.1 Date: Mon, 08 Dec 2003 23:00:08 -0600 To: "Tomcat Users List" From: Jacob Kjome Subject: Re: How to prevent direct access to login.jsp In-Reply-To: <728813C3358BF04CB3A3DA2341D44A71573CC3@e2k11.na.baesystems .com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Put the file in something like WEB-INF/jsp/login.jsp. Then either configure form-based authentication for the path to that JSP or have your MVC framework serve up that JSP page upon access to a protected resource. The "back" button will never know the exact location of the page. Jake At 05:59 PM 12/8/2003 -0500, you wrote: >Hi, > >I realized that my user can mess himself by bookmarking the login page >he is asked to log in. The login.jsp appears in the URL address in the >browser... > >Does anyone know how to avoid this? How do I block that URL for the user >and not for the server? > >Thanks. > >Yaakov Chaikin >Software Engineer >BAE SYSTEMS >301-838-6899 (phone) >301-838-6802 (fax) >yaakov.y.chaikin@baesystems.com > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org >For additional commands, e-mail: tomcat-user-help@jakarta.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org