tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: j_security_check redirect after login
Date Thu, 08 Nov 2007 21:06:44 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew,

Andrew R Feller wrote:
> I'm sorry but maybe I am reading a different version of the servlet 
> specification than you: it only explains the case where you access a 
> container-managed resource and then login.

That would be the only case covered by the servlet specification. Your
question about what happens when drive-by logins are attempted (trying
to submit directly to j_security_check with no prior request for a
protected resource) can easily be answered by trying it: you'll find
that Tomcat responds with either a 404 NOT FOUND error or something else
entirely unhelpful.

The specification only provides for a request / challenge /
authentication / re-process request cycle.

Anything else the servlet container chooses to support is outside of the
specification. Since Tomcat does not implement anything outside the
specification in this area, there is no further documentation to provide.

> The question I had was what happens when you directly request the
> login form and successfully login.  As you never requested a
> container-managed resource, then how does it know where to send you.

Not only will it not know where to send you, but it will not work at
all. If you want to do unsolicited logins, you will need to use a
3rd-party authentication scheme like securityfilter or ACEGI.

> David Smith atleast understood it well enough to answer with the
> thought that the servlet container wouldn't allow you to access the
> login form directly.

I understood. Perhaps my reply was terse, but anything not covered by
the servlet specification should be considered undefined behavior by
definition. I was trying to point that out, perhaps a bit too subtly.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHM3pk9CaO5/Lv0PARAhzTAKCnK8uLLP1FMcWD50WQ3penMLFKPwCgq4rA
gNMqGdTMdSjFRA7CFHe8dUw=
=24DQ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message