tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Re-opening the browser
Date Mon, 11 Aug 2008 20:49:18 GMT
Christopher Schultz wrote:
> Mark,
> Mark Thomas wrote:
> | If you go directly to the login page Tomcat can't tell the difference
> | between that situation and when you go to a protected page, are
> | redirected to the login page and then take so long to log in the session
> | times out (the page you need to be sent back to is stored in the
> | session). The error message assumes that the session has timed out.
> Okay, so the Tomcat response is (expectedly) consistent. Thanks for
> stepping-in.
> Just out of curiosity, why does Tomcat not support drive-by logins? Is
> it merely because the spec leaves the behavior in that case ambiguous
> (there's no obvious target page to go to)?
Essentially, yes. Also, there is no spec compliant way to define where to 
go if login is successful. If this was added then to be consistent the 
default target page would probably need to be defined in the Form Auth 
valve in a context.xml.

> Many of securityfilter's
> users use it merely because it allows drive-by logins. We're happy to
> have them (!), but this seems like a reasonable feature to have in the
> core of Tomcat.
Given there is a demand for this, adding it as an option to the Form Auth 
valve seems reasonable to me. As ever, patches are always welcome on 
Bugzilla and this looks like a simple one although care will need to be 
taken on the error handling.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message