tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew R Feller" <>
Subject RE: j_security_check redirect after login
Date Thu, 08 Nov 2007 21:16:28 GMT

Please accept my apologies for my poor reactions.  Thank you and others
(Chuck, Matthias) for taking more time than you had to help me with this


Andrew R Feller, Analyst
Subversion Administrator
University Information Systems
Louisiana State University
(office) 225.578.3737

-----Original Message-----
From: Christopher Schultz [] 
Sent: Thursday, November 08, 2007 3:07 PM
To: Tomcat Users List
Subject: Re: j_security_check redirect after login

Hash: SHA1


Andrew R Feller wrote:
> I'm sorry but maybe I am reading a different version of the servlet 
> specification than you: it only explains the case where you access a 
> container-managed resource and then login.

That would be the only case covered by the servlet specification. Your
question about what happens when drive-by logins are attempted (trying
to submit directly to j_security_check with no prior request for a
protected resource) can easily be answered by trying it: you'll find
that Tomcat responds with either a 404 NOT FOUND error or something else
entirely unhelpful.

The specification only provides for a request / challenge /
authentication / re-process request cycle.

Anything else the servlet container chooses to support is outside of the
specification. Since Tomcat does not implement anything outside the
specification in this area, there is no further documentation to

> The question I had was what happens when you directly request the
> login form and successfully login.  As you never requested a
> container-managed resource, then how does it know where to send you.

Not only will it not know where to send you, but it will not work at
all. If you want to do unsolicited logins, you will need to use a
3rd-party authentication scheme like securityfilter or ACEGI.

> David Smith atleast understood it well enough to answer with the
> thought that the servlet container wouldn't allow you to access the
> login form directly.

I understood. Perhaps my reply was terse, but anything not covered by
the servlet specification should be considered undefined behavior by
definition. I was trying to point that out, perhaps a bit too subtly.

- -chris
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message