tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From footh <>
Subject Re: SSL and form-based login
Date Mon, 22 Nov 2004 16:21:11 GMT
Thanks for the help.  I see what you are saying about
the redirection to the login page not being a true
redirect.  I'll give your method a shot and see how it
turns out.  I can't believe this issue hasn't been
resolved before but I can't seem to find it via a
search on the archives.

On another note, once I'm in a page that is set to use
SSL all relative links within that page continue to
use SSL even though I would rather they be non-SSL. 
Is there an easy way to prevent that other than
hardcoding absolute URLs in all the non-SSL links?  

I guess I could set transport-guarantee tags to NONE
for every single non-SSL page.  That just seems like a
bit of an administrative hassle as everytime I add a
new page (or rather, folder) I'd have to add the
appropriate transport tag.

--- wrote:

> On Sun, Nov 21, 2004 at 10:53:52AM -0800, footh
> wrote:
> > The URL in the browser is the URL of the protected
> > page I'm trying to access.  So, for example if
> > /test/test.jsp is protected by forms-login and I
> click
> > a link to that page, /test/test.jsp will be the
> URL in
> > the browser, but the login page will appear on the
> > screen.
> 	Well, that sounds like you're not getting an actual
> redirect
> to the login page.  Unless you do that, the brower
> never sends
> another request, so you stay in http mode. 
> According to the 
> servlet spec it's not supposed to do a redirect.
> 	Since it's not a redirect, the urls specified in
> login-config don't
>  get matched against a security constraint.
> If they did, it'd be hard not to create loops. 
> e.g.:
> access to somepage.jsp triggers security-constraint
> on *.jsp requiring
>  realm foo.
> login-config is triggered to allow tomcat to figure
> out which realm the
>  user is in
> url for that is login.jsp, security-constraint is
> triggered, etc...
> 	That seems to make the automatic form login not all
> that useful
> for ssl stuff, at least not at first glance.  A
> solution might be to
> point your login-config url at a page that does an
> immediate redirect to the
> actual login page.
> i.e.:
> define a security constraint that forces ssl and
> applies only to login.jsp
>  no realm!  since there's an explicit redirect we
> don't want to create a loop.
> define another security constraint that specifies a
> realm and applies
>  to everything else.
> setup login-config to point to redirect.jsp
> redirect.jsp does an immediate c:redirect to
> login.jsp
> login.jsp works like normal. (j_security_check form
> and all)
> Well, that's how I'm hoping it would work.  That
> depends on whether
> the redirect that redirect.jsp does, and the extra
> get the browser
> does, will cause tomcat to clear out it's original
> stored url.
> It seemed to work that way with a quick test I just
> did, but I'm
> not entirely sure I did it right.
> eric
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Do you Yahoo!? 
Meet the all-new My Yahoo! - Try it today! 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message