tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: in Tomcat container-based authN is there a way to redirect logins to a URL?
Date Fri, 08 Feb 2008 02:28:29 GMT

"Christopher Schultz" <chris@christopherschultz.net> wrote in message 
news:47AB2B45.2020003@christopherschultz.net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Gary,
>
> Gary Weaver wrote:
> | I get the following error, because those two page elements are relative
> | to the webapp and not to the host part of the URL:
> |
> |  HTTP Status 404 - /caladmin/Shibboleth.sso/Login
>
> :(
>
> Yeah, the spec says:
>
> "The form-login-page element defines the location in the web
> ~    app where the page that can be used for login can be
> ~    found.  The path begins with a leading / and is interpreted
> ~    relative to the root of the WAR."
>

But more importantly, TC 5.5.x will do a forward to the login page, so it 
has to be served by Tomcat.

> Okay, there's one more trick you can try. Keep the form-login-config the
> way you have it in web.xml and add a filter (which may not work,
> either). Write a filter that always redirects to "/Shibboleth.sso/Login"
> (without adding the webapp's context path) no matter what, and install
> it so that it intercepts requests to "/Shibboleth.sso/Login" (which will
> include the context path).
>

This should work, but you need to configure it so that it intercepts 
forwards as well as top-level requests.

> If it works, it will take a request to /caladmin/Shibboleth.sso/Login
> (which is what Tomcat's authenticator generates) and perform a redirtect
> to the URL that you really want.
>
> A little hack-y, but it might work.
>
> Another non-filter option would be to create a JSP for the login that
> performs the redirect. That might be a bit cleaner because the logic
> will be easier to follow (rather than having to simply know that there's
> a filter out there doing evil things).
>

Actually, this is a little hack-y too.  Shibboleth would need to redirect to 
j_security_check if the app ever POSTs to a restricted page in order to 
replay the request with the original request body.

> Hope that helps,
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkerK0UACgkQ9CaO5/Lv0PADVACgjSUmiRY024lWZohxeG1UuHtI
> cfMAoKGEct0vIG6Cnh5WJNMmyTyyi6R9
> =nuVm
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> 




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message