tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: SSL and form-based login
Date Mon, 22 Nov 2004 14:46:26 GMT
On Sun, Nov 21, 2004 at 10:53:52AM -0800, footh wrote:
> The URL in the browser is the URL of the protected
> page I'm trying to access.  So, for example if
> /test/test.jsp is protected by forms-login and I click
> a link to that page, /test/test.jsp will be the URL in
> the browser, but the login page will appear on the
> screen.
	Well, that sounds like you're not getting an actual redirect
to the login page.  Unless you do that, the brower never sends
another request, so you stay in http mode.  According to the 
servlet spec it's not supposed to do a redirect.
	Since it's not a redirect, the urls specified in login-config don't
 get matched against a security constraint.
If they did, it'd be hard not to create loops.  e.g.:
access to somepage.jsp triggers security-constraint on *.jsp requiring
 realm foo.
login-config is triggered to allow tomcat to figure out which realm the
 user is in
url for that is login.jsp, security-constraint is triggered, etc...
	That seems to make the automatic form login not all that useful
for ssl stuff, at least not at first glance.  A solution might be to
point your login-config url at a page that does an immediate redirect to the
actual login page.

define a security constraint that forces ssl and applies only to login.jsp
 no realm!  since there's an explicit redirect we don't want to create a loop.
define another security constraint that specifies a realm and applies
 to everything else.
setup login-config to point to redirect.jsp
redirect.jsp does an immediate c:redirect to login.jsp
login.jsp works like normal. (j_security_check form and all)

Well, that's how I'm hoping it would work.  That depends on whether
the redirect that redirect.jsp does, and the extra get the browser
does, will cause tomcat to clear out it's original stored url.
It seemed to work that way with a quick test I just did, but I'm
not entirely sure I did it right.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message