tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew R Feller" <afel...@lsu.edu>
Subject RE: j_security_check redirect after login
Date Thu, 08 Nov 2007 21:16:28 GMT
Christopher,

Please accept my apologies for my poor reactions.  Thank you and others
(Chuck, Matthias) for taking more time than you had to help me with this
issue.

Regards,

Andrew R Feller, Analyst
Subversion Administrator
University Information Systems
Louisiana State University
afelle1@lsu.edu
(office) 225.578.3737

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Thursday, November 08, 2007 3:07 PM
To: Tomcat Users List
Subject: Re: j_security_check redirect after login

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew,

Andrew R Feller wrote:
> I'm sorry but maybe I am reading a different version of the servlet 
> specification than you: it only explains the case where you access a 
> container-managed resource and then login.

That would be the only case covered by the servlet specification. Your
question about what happens when drive-by logins are attempted (trying
to submit directly to j_security_check with no prior request for a
protected resource) can easily be answered by trying it: you'll find
that Tomcat responds with either a 404 NOT FOUND error or something else
entirely unhelpful.

The specification only provides for a request / challenge /
authentication / re-process request cycle.

Anything else the servlet container chooses to support is outside of the
specification. Since Tomcat does not implement anything outside the
specification in this area, there is no further documentation to
provide.

> The question I had was what happens when you directly request the
> login form and successfully login.  As you never requested a
> container-managed resource, then how does it know where to send you.

Not only will it not know where to send you, but it will not work at
all. If you want to do unsolicited logins, you will need to use a
3rd-party authentication scheme like securityfilter or ACEGI.

> David Smith atleast understood it well enough to answer with the
> thought that the servlet container wouldn't allow you to access the
> login form directly.

I understood. Perhaps my reply was terse, but anything not covered by
the servlet specification should be considered undefined behavior by
definition. I was trying to point that out, perhaps a bit too subtly.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHM3pk9CaO5/Lv0PARAhzTAKCnK8uLLP1FMcWD50WQ3penMLFKPwCgq4rA
gNMqGdTMdSjFRA7CFHe8dUw=
=24DQ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message