tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: j_security_check redirect after login
Date Thu, 08 Nov 2007 21:06:44 GMT
Hash: SHA1


Andrew R Feller wrote:
> I'm sorry but maybe I am reading a different version of the servlet 
> specification than you: it only explains the case where you access a 
> container-managed resource and then login.

That would be the only case covered by the servlet specification. Your
question about what happens when drive-by logins are attempted (trying
to submit directly to j_security_check with no prior request for a
protected resource) can easily be answered by trying it: you'll find
that Tomcat responds with either a 404 NOT FOUND error or something else
entirely unhelpful.

The specification only provides for a request / challenge /
authentication / re-process request cycle.

Anything else the servlet container chooses to support is outside of the
specification. Since Tomcat does not implement anything outside the
specification in this area, there is no further documentation to provide.

> The question I had was what happens when you directly request the
> login form and successfully login.  As you never requested a
> container-managed resource, then how does it know where to send you.

Not only will it not know where to send you, but it will not work at
all. If you want to do unsolicited logins, you will need to use a
3rd-party authentication scheme like securityfilter or ACEGI.

> David Smith atleast understood it well enough to answer with the
> thought that the servlet container wouldn't allow you to access the
> login form directly.

I understood. Perhaps my reply was terse, but anything not covered by
the servlet specification should be considered undefined behavior by
definition. I was trying to point that out, perhaps a bit too subtly.

- -chris
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message